On March 9, the Securities and Exchange Commission (SEC) proposed a new rule intended to enhance and standardize disclosure requirements for cybersecurity risks. Among other things, the rule requires all publicly traded companies to report all “material” cybersecurity incidents within four business days of determining the event’s materiality. But shockingly, this notice requirement does not include an exception for active investigations by law enforcement, coordination with intelligence and national security agencies, or compliance with court orders that may restrict the timing of permissible cybersecurity disclosures—nor does it provide an exception where premature disclosure of an incident could cause significant damage to other vulnerable businesses or government entities. In theory, this could mean that a company would be required to disclose a breach before the vulnerability could even
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: