Who knew the Securities and Exchange Commission (SEC) would adopt new cybersecurity rules forcing public companies to disclose hacks within four days? That’s good news for consumers who might be exposed to data breaches impacting these companies.
Early knowledge that hackers might have stolen your personal data during a new attack means early mitigation. You could start changing passwords and monitor other sensitive accounts immediately after a data breach happens. Well, within four days of the attack.
However, the SEC isn’t doing it out of love for the end user. That’s not necessarily the goal. And some data breaches might be exempt from the new four-day disclosure rule.
SEC Chair Gary Gensler explained that the new rule would benefit “investors, companies, and the markets connecting them” in a statement part of the SEC announcement:
Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.
SEC’s main worry has nothing to do with the consumer, apparently. The main focus is the bottom line of investors and the companies themselves. That’s because, yes, massive data breaches would most certainly impact the stock of any public company.
However, the sooner the data breach disclosures come in, the faster everyone can act. This could reduce the fallout and allow the stock to recover faster. I’m simply speculating here, however. But the new SEC data breach disclosure rule might prevent some companies from informing you about a massive hack the Thursday before Christmas.
There is one exception to the new four-day rule, however. Should a data breach pose a risk to national security, the disclosure will be delayed.
The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.
While the benefit of regular consumers might not be an SEC priority, it’s certainly a welcome side-effect. And you’d better be aware of his new SEC policy too. That way, the next time you hear about a hack impacting your account with a publicly traded company, you’ll be quick to act.
Hacks impacting private companies will not have to obey the same ruling. After all, the SEC issues policy changes for public companies.
Over in Europe, GDPR rules force any company to disclose a data breach within 72 hours, or three days, from the hack.