The Securities and Exchange Commission seems to have missed a key principle of fighting crime: Investigators don’t release all the details of an incident before it’s solved because it would make it harder to catch the criminal. This is true in cybersecurity too. You don’t want hackers to know they’ve been discovered or to highlight a company’s weakness to other bad actors. Yet a new rule from the SEC would require public disclosure of an incident within four days of discovery, even if the hack is still under investigation and hasn’t been remedied.
Those of us who have dealt with actual cyber incidents know that a fix is unlikely to materialize in four days. These reporting requirements will place a spotlight on the vulnerability in the hacked company’s cybersecurity, putting the business at greater risk of suffering successive attacks before the exploited weakness can be fixed.