The US Securities and Exchange Commission (SEC) has proposed new rules for organizations that are designed to aid in breach transparency around cyber incidents. They have proposed that listed companies must disclose a “material cybersecurity incident” within four business days of discovery. Most states have policies in place regarding this, but they do not extend to incidents that do not include Personably Identifiable Information (PII). This move comes from the SEC as they stated that changes needed to be made that were in the interest of company investors. They also proposed that companies must provide updates to previous incidents and to disclose when “a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.” Organizations will also be required to list board members with cybersecurity experience and begin to publicly describe their policies for handling cybersecurity related events.
This action from the SEC is to aid investors in their ability to trade stocks. Beforehand, there was no timeframe that required companies to alert the public on cyber incidents, which potentially could affect stock prices. With this uniformed and quick alert procedure, the SEC hopes it will hold public companies accountable for cyber-related incidents.