U.S. rule requires public companies to disclose cybersecurity breaches in 4 days

L4sBot@lemmy.worldmod to Technology@lemmy.world – 252 points –
New U.S. SEC rule requires public companies to disclose cybersecurity breaches in 4 days
ctvnews.ca

U.S. rule requires public companies to disclose cybersecurity breaches in 4 days::The Securities and Exchange Commission adopted rules Wednesday to require public companies to disclose within four days all cybersecurity breaches that could affect their bottom lines. Delays will be permitted if immediate disclosure poses serious national security or public safety risks.

8

Technically, the clock doesn't start ticking on the four-day window for reporting until companies have determined a breach is material.

It's not all breaches. In fact, because this is the SEC, it's about financial impact, not privacy or security.

It's a good start, but I worry that a financial impact based approach creates the wrong incentive.

Public companies, really? They only managed to gather political will to impose that with securities in mind?

4 days!? That's awfully fucking generous. I would have made the requirement at 24 hours because fuck corporations.

Eh I disagree. You have to give companies time to patch their shit. If they disclose hours or days before they have time to patch that can lead to another breach assuming the vulnerability is shared.

But yes fuck Corporations.

This, sometimes not showing all the goods is the best measure. Once it’s known it can become a lot more of a threat.

But yes fuck corporations