The US Securities and Exchange Commission (SEC) has proposed a new cybersecurity rule, but it won’t be finalized until at least October 2023. Originally, it was expected to be finalized in May 2023, but the SEC announced that the earliest possible date for the final rule is now October.
The proposed rule has various aspects, such as requiring companies to document their cybersecurity procedures and have cybersecurity experts on their Board of Directors. However, the main reason for the delay is the disagreement over the requirement to report cybersecurity incidents within four days.
Under the SEC’s proposed rule, public companies would need to report significant cybersecurity incidents through a special form called Form 8-K. This form is used for urgent disclosures that can’t wait for regular quarterly or annual filings. Importantly, companies would have to file the form within four business days from the day they determine the incident is significant, not from the day they discover it.
According to the SEC, the significance of a cybersecurity incident depends on whether it would be important for shareholders to know when making investment decisions or if it affects the overall information available.
Some concerns have been raised about the four-day reporting requirement. Commenters worry that disclosing an ongoing incident without containment could lead to more harm for investors, as attackers may escalate their attacks or cover their tracks. Additionally, companies argue that the four-day timeframe is too short to fully understand the nature, scope, and impact of a cybersecurity breach and to focus on remediation efforts.
Furthermore, the reporting requirements don’t have exceptions for cyber incidents related to national security or law enforcement investigations. Swift disclosure of certain incidents could potentially harm US national security or hinder ongoing law enforcement operations.
Considering these objections, it is unlikely that the rule will be finalized by the end of this year.
