News broke yesterday that a new SEC ruling will require public companies to disclose security breaches within four days.
The newly passed rules will also require these public companies to publicly disclose information on their cybersecurity risk management and executive expertise around shoring up data and minimizing risk annually.
While the idea of ensuring greater transparency from large organizations and providing protections for their customers and investors is good intentioned – the ruling is receiving mixed reviews.
How has the security industry reacted?
Richard Bird, CSO, Traceable AI
“Rather than exhibiting the courage and coordination required to create something as crucial as a national data privacy law, once again, agencies like the SEC are pushing for faster breach notifications in the hopes that the American people will think the government is addressing the need for stronger cybersecurity. But breach notices are not security – and never will be.
The SEC proves once again that our federal agencies can only view security with a rearview mirror. Breach notices are an outcome, not a protection. The enormous resistance of our federal government to mandate basic security principles as a requirement for doing business in our nation is inexcusable. It is time for it to treat cybersecurity as a proactive measure rather than an afterthought.”
Tyler Farrar, CISO, Exabeam
“The ruling certainly signifies a move toward increased transparency and heightened investor protection. A 4-day disclosure period can provide investors with near real-time information, which is crucial. However, thistimeframe may be seen as challenging by companies given that comprehensive investigations of cybersecurity incidents can often extend beyond this period; premature disclosures can spur misinformation or unnecessary alarm.
I am hopeful that the stipulation for annual disclosure of cybersecurity risk management practices and executive expertise can be the catalyst for companies to further or finally invest in robust cybersecurity measures and expertise.
While these new regulations are indeed designed with investor protection in mind, they may also have indirect implications for consumers. Improved cybersecurity infrastructure and more timely information about breaches can help protect consumers’ data. With the new rules in place, companies may be more incentivized to avoid the reputational damage and potential drop in stock value that could follow a public breach disclosure. This added layer of accountability can thus create a safer environment for consumers’ personal information.
Moreover, these rules amplify the importance of accountability at the highest organizational levels. Cybersecurity is not merely an IT concern; it’s a strategic business issue that demands attention from the C-suite and the board. This broadened responsibility can result in a more comprehensive and effective approach to cybersecurity, further protecting consumer data.”