Divided SEC Finalizes Cybersecurity Rule For Public Cos.

Data privacy attorney Shardul Desai was quoted in a Law360 article about the U.S. Securities and Exchange Commission's (SEC) final rule requiring public companies to make certain public disclosures regarding material cybersecurity incidents. The final rule gives companies four business days to disclose material cybersecurity incidents from the time the companies determine that an incident was material. Mr. Desai said the final rule is much more streamlined and effective than the proposed rule because it eliminates many specific, unnecessary and excessive requirements for companies.

Additionally, Mr. Desai said the final version of the rule does a better job of balancing companies' needs for flexibility and security with providing information to investors while also noting that the law enforcement exception is very limited and impractical, saying among other things that it will be hard to get ahold of the Attorney General in a short time period.

"They recognize it's not going to be immediate in many cases, and that there is going to be time needed to investigate that decision of materiality," Mr. Desai said, adding this will be helpful for companies going through this process.

READ: Divided SEC Finalizes Cybersecurity Rule for Public Cos. (Subscription required)