New law orders companies that suffer cyberattacks to report them in less than four days

The U.S. Securities and Exchange Commission (SEC) has confirmed its plans to establish a new measure for organizations suffering from cyberattacks. This provision requires publicly traded companies to disclose any attacks and other significant cybersecurity incidents within four days, in a bid to strengthen security measures in financial markets.

This provision is being analyzed at a time when hacking variants such as ransomware attacks show a clear increase, generating millions of dollars in losses and multiple cases of interruption of operations, so the authorities consider it necessary to implement new cybersecurity mechanisms.

The agency’s four commissioners, three Democratic representatives and one Republican, will vote on the proposal at a public meeting in the coming days. If approved, the proposal will initiate a process to receive the opinion and feedback of experts and the general public; the SEC will receive comments on the proposal for at least 60 days before issuing the final opinion.

In reality, the U.S. federal government has long been asking companies to report potential security risks to their customers and investors, although it’s only a couple of years since the SEC has adopted this approach to cybersecurity. However, Commission officials believe that reports of cybersecurity events have been inconsistent, so the current provisions need to be reviewed.

In addition to the 4-day limit for reporting these incidents, affected companies must provide regular updates on previous incidents and report when these cases have generated interruptions in their operations and the possible effects on employees, customers and investors.

Finally, the new provisions state that organizations must include in their annual operating reports a detailed description of their cybersecurity policies, incident response and it security expertise among the members of their boards of directors.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.