SEC Cybersecurity Disclosure Rules Take Effect

So, it begins! The SEC cybersecurity disclosure requirements take effect today for public companies, requiring them the report material cybersecurity events to the SEC and investors. I can simultaneously hear both a waterfall of tears and a resounding applause coming from the cybersecurity sectors as this has serious ramifications to how many companies chose to handle such notifications (if they did so at all in the past).

Henceforth, investors should consistently get the benefit of being informed in a timely manner for material incidents that now include cyber-attacks! They have this right, to understand issues with their investments, and material cyber events were often missing from the picture until now.

The genesis of this requirement was due to many organizations choosing to delay for unreasonably long periods or find excuses to not report such issues to the public. In fact, many such admissions only occurred after security researchers or attackers themselves when public first, thereby forcing the victim organization to communicate to its shareholders, partners, and customers. Sadly, many games were being played and the requirement to report material issues was played fast-and-loose, to the detriment of investors and consumers.

Not any longer. Now the decision is to either lawfully comply or potentially be…