"SEC Proposes Four-Day Breach Notification Rules"

The US Securities and Exchange Commission (SEC) has proposed new rules designed to increase transparency around cybersecurity incident reporting.  The SEC wants listed companies to disclose a “material cybersecurity incident” within four business days of discovery.  All states have laws forcing businesses to disclose data breaches, but they typically don't extend to incidents where personal information isn’t taken.  SEC chair, Gary Gensler, said the regulator’s disclosure regime needed to change to reflect evolving risk and investor needs.  The SEC also proposed a requirement to provide updates on previously disclosed incidents and to disclose when “a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate."  The SEC also proposed that registrants describe their policies and procedures for identifying and managing cyber risk and describe the board’s role and expertise in overseeing, assessing, and managing these risks and implementing said policies, procedures and strategies.  Listed firms would also be required to list those board members with cybersecurity expertise, including their experience in the field.

Infosecurity reports: "SEC Proposes Four-Day Breach Notification Rules"