haruki zaemonSEC: Public companies must report cyberattacks within four days | Engadget
Shared by Simon Harris(Summary via Kagi)
The SEC has set a four-day deadline for public companies to disclose material cybersecurity incidents to investors. Companies may be granted delays if disclosure risks harming national security or public safety. The rule aims to provide more consistent and useful cyberattack information to investors, after companies like Microsoft were criticized for taking weeks to confirm attacks. While the EU’s GDPR has a three-day cyberattack disclosure deadline, technology companies have pushed back on the SEC’s four-day rule, arguing it may not allow enough time to fully understand an attack. The SEC says the disclosure will benefit both companies and investors.