SEC Proposes New Cyber Rule on Incident Reporting

With Congress proving unwilling, as yet, to press forward with a comprehensive federal privacy law, states and agencies are filling the void. The latest to do so is the Securities and Exchange Commission, which this week by a 3-1 vote proposed a new mandatory cybersecurity reporting rule for companies.

While companies have since at least 2011 been required “to tell the market about risks and incidents they deem to be material to investors,” according to the Wall Street Journal, the new measure would standardize the timetable for such disclosures by requiring reporting within four days after discovery. The SEC intends that window to address the gaps exposed by recent analysis finding that “some 90% of known cyber incidents at public companies went undisclosed.”

As noted by Law360, SEC officials stressed that the new rule would “not require companies to disclose technical details about cybersecurity breaches.” Still, because such incidents “have the potential to create market-wide instability and disrupt entire segments of the economy,” according to SEC Commissioner Allison Herren Lee,” the SEC decided on a uniform approach.

The rule, if implemented, would also push companies to “update previously disclosed cyber incidents and reveal, to the extent they can, when prior cyber breaches previously considered immaterial have amounted to material incidents in aggregate.”

The Robins Kaplan Privacy Pulse blog features privacy and cybersecurity litigation topics including the latest news in cybersecurity law and policy, privacy legislation, and other related cyber topics making headlines.