In a groundbreaking move, the Securities and Exchange Commission (SEC) introduced a novel regulation mandating swift disclosure of data breaches by public companies.

Gone are the days when corporations could take months to reveal information lost to malicious hacks; now, they must promptly share such incidents within a tight four-business-day window from discovery.

As reported by The Verge, the information submitted to the SEC must not merely be within four days but also include specific and comprehensive details about the cyber attack.

This entails disclosing the scale, nature, timing, and potential impact on the company—a treasure trove of information that was previously withheld from the public for agonizingly extended periods.

Nevertheless, the SEC does acknowledge an exception to this expedited timeline: in situations where the public announcement of the breach poses a risk to national security or public safety, a slight delay is permissible.

This practice bears similarities to the procedure used for disclosing software and hardware security vulnerabilities.

Furthermore, the SEC is keen on learning how companies intend to tackle cybersecurity threats and who assumes responsibility for managing this domain.

As part of this policy shift, publicly traded companies are now obligated to elucidate their cybersecurity practices, even if they don’t have any in place. Additionally, they must delineate the potential risks emanating from existing threats and past incidents.

For the complete and comprehensive details of this new set of regulations, you can refer to the official press release from the SEC—a document that will certainly afford you ample time to understand the intricacies. The rules governing cyberattack disclosures will take effect after a 90-day period from their publication in the Federal Register or on December 18, 2023, whichever is later.

Smaller companies are granted a more lenient timeline, with 180 days before they are mandated to commence reporting security breaches. Companies must initiate the disclosure of their cybersecurity protocols in the fiscal year ending on or after December 15th, 2023.

As it currently stands, it may not be until 2024 that we witness whether the process of identifying the scope and impact of a data breach (and preparing a corresponding statement for the US government) can indeed occur within the rapid four-day window—or if corporations will resort to categorizing most breaches as matters of public safety or national security.