Cyberattack disclosure policies need rework: SEC

Published November 10, 2017
FOXBusiness

After a slew of high-profile data breaches this year, the U.S. Securities and Exchange Commission (SEC) is planning to update how companies are required to report cybersecurity incidents.

The SEC’s director of corporation finance, William Hinman, said during a legal conference in New York that while the current guidelines are “in pretty good shape,” the SEC will add a couple of new requirements, according to The Wall Street Journal.

The Equifax (NYSE:EFX) breach, which compromised the personally identifiable information of more than 145 million Americans, brought certain issues to light regarding how companies disclose breaches to the public. The company discovered the intrusion in July, but did not inform consumers until September. Many also perceived its response to the incident as disorganized and inadequate.

The SEC itself was also hacked in 2016 and did not disclose that breach to the public until September of this year.

Another big issue executives brought up during congressional testimony before the Senate Commerce Committee on Wednesday pertained to what type of information they should be required to disclose. The argument against disclosing every small potential danger a company faces was that consumers would become numb to the barrage of cyber threats.

The SEC hasn’t updated these guidelines in six years, and breaches have only become more prevalent as a larger portion of consumer and business data is stored on the Internet.

The SEC did not immediately return FOX Business’ request for more information on the forthcoming, updated guidelines.