Cybersecurity incidents are constantly in the news these days, but you’ll soon be hearing about a lot more of them. That’s because a new rule from the Securities and Exchange Commission went into effect on Monday, requiring all public companies to report data breaches in just four days.
The new SEC rule requires public companies to submit a government filing within four business days of determining a cybersecurity incident “material.” In 23andMe’s data breach, users found out in December that 6.9 million people had their biodata exposed, even though the hack happened in early October. In that case, it’s unclear when 23andMe knew about the severity of the hack, and how material it was, but it’s possible users could have been alerted much sooner.
Public companies currently take roughly 80 days to report incidents to the SEC, according to the latest research from Gartner. That number has only increased in recent years, up from 60 days in 2020, as companies take longer to respond while they curate PR responses to massive data breaches. Some take closer to 100 days, however, because there are very few rules around reporting data hacks at all.
The key word in this legislation is “material,” because it’s ambiguous and hard to define when exactly a cybersecurity incident is determined to be so. The Supreme Court defines material evidence as a substantial likelihood that a reasonable investor would consider it important. A CEO could learn about a data breach in January but only determine it was material in February, after weeks of an internal review.
The SEC rule, passed in July but went into effect Dec. 18th, also requires companies to give more details about an incident’s nature, scope, and timing. This means the public will know more about data breaches more quickly than before. Cybersecurity responses have long been undermined by public companies, who profit off of millions of user data points but have relatively weak security systems.
Just recently: we’ve learned that Comcast lost every single Xfinity customer’s data; PlayStation’s Insomniac Games was hacked and lost 1.67 terabytes of data, including the passports of its employees and details to a new Wolverine game; and a huge mortgage and loan company, Mr. Cooper, lost the data of 14 million people. Those are just the cybersecurity incidents that were reported last week. However, Americans may have already been impacted by some other company that lost your data, they just don’t know it yet. The new SEC rule aims to change that.