Security and Exchange Commission(SEC) of the United States has recently approved a crucial draft, mandating that publicly traded companies must promptly report any cyber attacks within four days of the attack’s occurrence or detection. This move aims to prevent companies from withholding vital information from their investors for extended periods. However, it does not strictly enforce reporting breaches within a specific time frame of significant financial impact.
Under this new regulation, victimized companies are not only required to disclose the occurrence of the attack but also to provide comprehensive details regarding the nature, scope, and time of its impact within a 96-hour window. This means that affected companies must engage security experts to investigate the attack and, if possible, identify the responsible parties.
The SEC has also allowed businesses an additional 60 days to disclose further information, such as incident response measures, impacted networks and devices, overall financial losses incurred, and any system vulnerabilities that may have contributed to the incident. This extension is intended to ensure that thorough investigations and mitigation efforts can be carried out effectively without compromising the immediate response to the incident.
Publicly traded companies are firms in which shareholders have claims on specific company assets and profits.
In a parallel development, OpenAI, Microsoft, and Google have jointly established the Frontier Model Forum, dedicated to ensuring the safe and responsible development of all future AI models. This new industry framework will also oversee the usage of machine learning models and ensure that the public is well-informed about their nature, impact, limitations, and potential capabilities.
It is noteworthy that several other countries, including Canada, the UK, South Africa, and Australia, already have established similar frameworks, wherein public companies are required to report cyber incidents within 72 hours. In contrast, countries like China and Singapore have set a stricter standard, mandating all companies to disclose such incidents within 24 hours, while India allows a more lenient 6-hour time frame for reporting breaches.