Public companies would have to report material cybersecurity incidents no later than four business days after they occur if a rule proposed by the Securities and Exchange Commission (SEC) on Wednesday takes effect.
The proposed rule would require companies to disclose information about whether any data was stolen, steps taken to remediate the incident, and how operations were affected. Periodically, the company would have to provide updates to investors about the material effects the incident had or continues to have as well as how it is being addressed.
