SEC’s New Cybersecurity Mandate

The Securities and Exchange Commission (SEC) recently adopted new regulations requiring public corporations to disclose any cybersecurity breaches that could affect their financial health within four days, except in cases where disclosure would pose significant national security or public safety risks. The regulations, which were passed in a 3-2 vote, also stipulate that publicly traded companies must provide annual information on their cybersecurity risk management and executive expertise.

This move is designed to increase transparency and investor protection. A delay in breach disclosures can occur if the U.S. Attorney General identifies a substantial risk to national security or public safety, but even then, the delay could only extend beyond 60 days under exceptional circumstances.

The new SEC rules have received mixed feedback. Critics argue that the regulations exceed the SEC’s authority and could aid potential hackers by revealing companies’ cybersecurity strategies. Supporters, however, argue that the changes will elevate the importance of cybersecurity within corporations and spur improvements in cyber defenses.

The requirement was initially proposed in March 2022 when the SEC recognized the escalating risks posed by breaches of corporate networks, particularly given the increased digitization and remote work trends. A recent report by IBM found that the average cost to an organization of dealing with a breach has risen to $4.5 million, a 15% increase over the past three years, further highlighting the need for these new regulations.