Stock photo with lock and digital data (Credit: Titima Ongkantong/

The Securities and Exchange Commission’s (SEC’s) proposed cybersecurity disclosure rules, which would allow investors for the first time to make apples-to-apples comparisons of companies’ cyberattack vulnerabilities and defenses, might actually have the unintended consequence of giving bad actors artillery to do more harm.

That was among the common themes in letters that companies, trade groups, and other interested parties submitted to the SEC in response to the March rollout of the proposed rules. Many of the more than 140 letters expressed concern about the rules’ requirement that companies disclose material cybersecurity incidents within four days.

That’s too tight a window, commenters argued. In some cases, four days does not give companies enough time to fully get their arms around the extent of the attack, and they may not have yet succeeded in cutting off criminals’ access to their systems.

Dig Deeper


Treasury & Risk

Join Treasury & Risk

Don’t miss crucial treasury and finance news along with in-depth analysis and insights you need to make informed treasury decisions. Join Treasury & Risk now!

  • Free unlimited access to Treasury & Risk including case studies with corporate innovators, informative newsletters, educational webcasts, and resources from industry leaders.
  • Exclusive discounts on ALM and Treasury & Risk events.
  • Access to other award-winning ALM publications including and

Already have an account? Sign In Now
Join Treasury & Risk

Copyright © 2022 ALM Global, LLC. All Rights Reserved.