A new federal rule requiring public companies to report any cybersecurity incident within four days is expected to create legal challenges and insurance complications. This regulation, imposed by the Securities and Exchange Commission, primarily aims to facilitate consistent and swifter reporting of data breaches. Regrettably, companies lacking a robust data security management framework may find compliance difficult, transforming it into a potential source of heightened expenses.
The implementation of this rule, though seemingly beneficial, is regarded by many as a double-edged sword and opens the door to shareholder lawsuits. Coupled with the fact that insurance firms may tighten their underwriting standards against such claims, there is a legitimate concern regarding business operations and cost management.
As expressed by insurance executive Kevin LaCroix, there is a piled-on fear that these immediate disclosure requirements may force companies to ‘go public’ before they have a comprehensive understanding of the situation at hand. This rush for openness can inadvertently lead to the propagation of inaccuracies and increased litigation risks.