The regulation represents a significant shake-up for organizations, many of which have argued that the new rules open them up to more risk and that four days isn't enough time to confirm a breach, understand its impact, or coordinate notifications.
Under the incoming cybersecurity disclosure requirements, first approved by the SEC in July, organizations must report cybersecurity incidents, such as data breaches, to the SEC in a specific line item on a Form 8-K report within four business days. According to the regulator, the rules are intended to increase visibility into cybersecurity governance and provide disclosure in a more 'consistent, comparable and decision-useful way' that will benefit investors and companies alike.
[
add
]
[
|
|
...
]