As of December 18th of last year, publicly traded companies are now required to disclose breaches. (soz, material cybersecurity incidents).
Prior to that, they could …basically… just effectively sweep everything under the rug “like it never happened” minus a little handwaving and paper shuffling and nobody would find out about it until the information got sold and went public.
I’ll have to go looking but I would be SERIOUSLY surprised if the disclosures apply to credit card companies (the MOST breached, historically) because I’m not sure what exactly qualifies someone as an asset-backed issuer, but it’s at least a really good step for the REST of things.
They weren’t, which is why the SEC updated 17 CFR Parts 229, 232, 239, 240, and 249.
https://www.sec.gov/files/rules/final/2023/33-11216.pdf
As of December 18th of last year, publicly traded companies are now required to disclose breaches. (soz, material cybersecurity incidents).
Prior to that, they could …basically… just effectively sweep everything under the rug “like it never happened” minus a little handwaving and paper shuffling and nobody would find out about it until the information got sold and went public.
I’ll have to go looking but I would be SERIOUSLY surprised if the disclosures apply to credit card companies (the MOST breached, historically) because I’m not sure what exactly qualifies someone as an asset-backed issuer, but it’s at least a really good step for the REST of things.