The Securities and Exchange Commission seems to have missed a key principle of fighting crime: Investigators don’t release all the details of an incident before it’s solved because it would make it harder to catch the criminal. This is true in cybersecurity too. You don’t want hackers to know they’ve been discovered or to highlight a company’s weakness to other bad actors. Yet a new rule from the SEC would require public disclosure of an incident within four days of discovery, even if the hack is still under investigation and hasn’t been remedied.

Those of us who have dealt with actual cyber incidents know that a fix is unlikely to materialize in four days. These reporting requirements will place a spotlight on the vulnerability in the hacked company’s cybersecurity, putting the business at greater risk of suffering successive attacks before the exploited weakness can be fixed.

That comes with a national security risk too, as nation states often engage in or aid cyberattacks against companies. The SEC’s new rule will help states cover their tracks by alerting them to any discovery. And it’ll make it easier for them to find targets by highlighting what businesses are vulnerable and how.

The goal of the SEC’s new rule is to inform investors about attacks, which is a fine idea in principle. Investors should be informed about firms’ cybersecurity risks and sharing information about attacks can help other businesses optimize their own cyber defenses. Reporting is important, but companies should be allowed to resolve an incident before making it public.

Other regulators are racing to require companies to report problems even faster, creating the possibility of confusion of whom to report to and when. Following the European Union requirement of three days, Congress has charged the U.S. Department of Homeland Security to create rules that would also require reporting within three days of an incident, except for ransomware payments, which must be reported in one day. The New York State Department of Financial Services is also asking for a report in three days. The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corp. have required notification no later than 36 hours after a banking organization determines that an incident has occurred. India has skipped a time frame altogether, requiring immediate reporting to the government.

Unlike the SEC rules, most of these allow for companies to investigate and remediate the incident. But it would be better if the U.S. agencies worked together to create common rules that give businesses a reasonable delay before they report. It would go a long way toward simplifying reporting standards if they clarified what information needs to be reported and when.

The key is to balance national security with other concerns, including the investor’s right to be informed. This balance can be achieved, but it will requires agencies to look past their own narrow priorities and putting the public interest, including national security, first.

Ari Schwartz

Mr. Schwartz served as special assistant to the president for cybersecurity policy, 2013-15. He coordinates the Center for Cybersecurity Policy and Law

Read Next

The U.S. and UN Cybercrime Convention: Progress, Concerns, and Uncertain Commitments

The U.S. issued an updated position seeking to move forward the UN Convention Against Cybercrime, a treaty intended to improve the global community’s ability to combat evolving cybercrime threats.

The Counter Ransomware Initiative with Hamish Hansford (DCP S2 E8)

In the latest Distilling Cyber Policy, Alex Botting and Jen Ellis are joined by our second-ever Australian guest: Hamish Hansford, the Deputy Secretary of Cyber and Infrastructure Security Group at the Australian Department of Home Affairs.

Building PQC and Crypto Resiliency Across the Public and Private Sectors

A webinar that featured industry leaders from AT&T, the National Institute of Standards and Technology (NIST), InfoSec Global, The White House, and Venable LLP, focused on cryptographic resilience and post-quantum transition.‍