SEC Rules Making Cyber Disclosures Public May Raise Risk
Cybersecurity and data privacy attorney Shardul Desai was quoted in a recent Law360 article about the U.S. Securities and Exchange Commission's (SEC) new cybersecurity rules regarding how companies handle cybersecurity breaches. The new rules require public companies to share incident-specific disclosures within four days of a data breach and share annual disclosures about their cybersecurity risk management, strategy and governance practices. However, many have raised concerns that the new rules may leave companies more vulnerable to cyber attacks.
"The cyber risk disclosure process is intended to assist non-cyber experts in making investment decisions, but it's also likely to assist cyber criminals by informing them about companies' cybersecurity posture and resilience, and plaintiffs counsel will also likely be looking at whether disclosures about risk management programs are accurate," Mr. Desai explained in the article. "That raises the concern that the rule is a little shortsighted in creating additional significant risks, with some marginal gains for investors."