On March 9, the Securities and Exchange Commission (SEC) proposed a new rule intended to enhance and standardize disclosure requirements for cybersecurity risks. Among other things, the rule requires all publicly traded companies to report all “material” cybersecurity incidents within four business days of determining the event’s materiality. But shockingly, this notice requirement does not include an exception for active investigations by law enforcement, coordination with intelligence and national security agencies, or compliance with court orders that may restrict the timing of permissible cybersecurity disclosures—nor does it provide an exception where premature disclosure of an incident could cause significant damage to other vulnerable businesses or government entities. In theory, this could mean that a company would be required to disclose a breach before the vulnerability could even be patched.
The SEC has not thought through this proposed rule carefully enough….
‘Enforcement 40’ for 2020
Join Us On LinkedIn
Join the Securities Litigation and Enforcement Group on LinkedIn