SEC: reactions to new cyber incident disclosure rules

The United States Securities and Exchange Commission (SEC) recently introduced new guidelines regarding the disclosure of cyber incidents. These require public companies to disclose relevant incidents and vulnerabilities immediately. The SEC also proposed a change to the timing of notifications, which should be done within 4 business days of the incident being identified.

Debate between cybersecurity experts

The change has sparked heated debate among cybersecurity experts. While some argue that these rules are essential to increase transparency, others fear it could lead to premature and potentially inaccurate information. Cybereason CEO Lior Div expressed concern about the privacy impact, suggesting that a four-day notification time may not be sufficient for an accurate assessment.

Differences of opinion in the industry

While privacy concerns are present, Neil Jones, market focus lead of cybersecurity at EY, highlights the benefit of increased transparency and the effectiveness of an accountability framework. Avanan CEO Gil Friedrich believes these new rules could provide an incentive for companies to invest in cybersecurity.

The impact of the new rules

The SEC's new guidelines regarding the disclosure of cyber incidents could bring both benefits and challenges. The practical implications of the new rules for businesses and cybersecurity professionals will remain to be seen. It is certain, however, that the decision marks an important step towards making companies more accountable for the management of cyber incidents. The long-term effect could be a significant shift in cybersecurity culture, with organizations becoming more proactive in preventing attacks and more transparent in their communication when they occur.