After much discussion and horse-trading, the Securities and Exchange Commission (SEC) last week finally adopted rules that require all public companies to report cybersecurity breaches within four days. While there have been a number of failed initiatives to get companies to prioritize cybersecurity, the enforcement by the SEC could make a real impact this time. Companies are often tempted to brush breaches under the rug, but this approach leads to negative outcomes for both shareholders and customers. The new notification requirement has the potential to drive institutional change from the board down.
The rules come only a month after SolarWinds announced that the SEC had issued a Wells Notice against their executives, indicating they intend to take action against them for their part in the 2020 breach. So there’s no doubt that the SEC means business when it comes to improving the cybersecurity of public companies.
Following an extensive comment period, many parts of the draft rules were removed to make them more palatable to industry. Gone are the requirements around recording and quantifying security postures, complex concepts of aggregate materiality, and detailed information requests from early-on in a breach response. Overall the final rules deliver a very sensible balance between raising standards and removing onerous red tape.
0 Comments