The US Securities and Exchange Commission (SEC) has adopted new cybersecurity incident disclosure rules for public companies, requiring them to disclose security breaches with material impact within four business days. While some see this as a positive step towards transparency and accountability, others are concerned that it could help cybercriminals by providing information they could leverage for hacking and extortion. Industry professionals have expressed various opinions on the benefits, potential problems, and challenges the new rules may pose for affected organizations.
Some fear that attackers could use the disclosed information to assess the impact of their attacks, while others worry about the burden and strain it may put on security teams. There are also concerns about defining “material” impact and potential incomplete disclosures due to the rapid timeline.
The SEC’s rules are seen as setting a standard for incident response and disclosure, not only for publicly-traded companies but also for private ones. Some experts hope that the new regulations will lead to increased investment in cybersecurity measures and incident response capabilities.