Cyberattack disclosure policies need rework: SEC

SEC FOXBusiness

An illustration picture shows a projection of binary code around the shadow of a man holding a laptop computer in an office in Warsaw June 24, 2013. REUTERS/Kacper Pempel (POLAND - Tags: BUSINESS TELECOMS) (Reuters)

After a slew of high-profile data breaches this year, the U.S. Securities and Exchange Commission (SEC) is planning to update how companies are required to report cybersecurity incidents.

Continue Reading Below

The SEC’s director of corporation finance, William Hinman, said during a legal conference in New York that while the current guidelines are “in pretty good shape,” the SEC will add a couple of new requirements, according to The Wall Street Journal.

The Equifax (EFX) breach, which compromised the personally identifiable information of more than 145 million Americans, brought certain issues to light regarding how companies disclose breaches to the public. The company discovered the intrusion in July, but did not inform consumers until September. Many also perceived its response to the incident as disorganized and inadequate.

The SEC itself was also hacked in 2016 and did not disclose that breach to the public until September of this year.

More on this...

Another big issue executives brought up during congressional testimony before the Senate Commerce Committee on Wednesday pertained to what type of information they should be required to disclose. The argument against disclosing every small potential danger a company faces was that consumers would become numb to the barrage of cyber threats.

The SEC hasn’t updated these guidelines in six years, and breaches have only become more prevalent as a larger portion of consumer and business data is stored on the Internet.

Continue Reading Below

The SEC did not immediately return FOX Business’ request for more information on the forthcoming, updated guidelines.

Outbrain