A new rule implemented by the Securities and Exchange Commission will now require public companies to disclose data breaches much faster. Instead of working on their own timetables (in which it can take months before the public learns about information lost to a hack), public traded companies must share incidents four business days after discovery.
As reported by The Verge, the information reported to the SEC must not only happen within four days, but it must also include specific details on the attack. That includes how large it is, what it involves, when it happened, and how it will affect the company—all info that normally takes agonizingly long for consumers to learn.
The SEC does make an exception to this compact timeline: If publicly announcing an incident could run a risk to national security or public safety, then it can be delayed. (Not unlike the practice used for disclosures about software and hardware security vulnerabilities.)
The SEC also now wants to know how companies plan to address cybersecurity threats and who’s in charge of managing that area. The change in policy additionally requires publicly traded companies to explain their cybersecurity practices (including if they don’t have any), as well as the expected risks from existing threats and previous incidents.
For the full details, you can read about this new set of regulations in the SEC’s press release—you’ll certainly have time to. The rules for cyberattack disclosures will begin to take effect 90 days after their date of publication in the Federal Register or December 18, 2023, which ever comes later. (Smaller companies get a longer reprieve; they get 180 days before they must begin reporting security breaches.) Companies must start reporting their cybersecurity protocols in the fiscal year ending on or after December 15th, 2023. As it stands, it likely won’t be until 2024 that we’ll see if identifying the scope and effect of a data breach (and preparing a statement for the US government) can happen as fast as four days—or if companies will start to classify most breaches as a matter of public safety or national security.