Comment by jmclnx
9 hours ago
Isn't there a new law from the Biden era that forces a company disclose breaches to their customers and the SEC within a few weeks ?
If so and if the US had a sane administration maybe, this would be acted upon, but these days, anything goes as long as you 'donate' to the ballroom.
Yes, I did briefly touch on that in the article. "SEC rules require timely reporting of material cybersecurity incidents."
Looking into this more now I see SEC Rule requiring disclosure within 4 business days of determining a cybersecurity incident is "material"
There is a big list of SEC violations as a result: 1. Late Disclosure (Item 1.05) If materiality was determinable in January → 4-day rule violated Penalty: Fines, enforcement actions
2. Misleading Statements/Omissions (Rule 10b-5) Any public statements about security between Jan-May could be problematic Omitting known material risks = securities fraud
3. Inadequate Internal Controls (SOX) Failure to properly investigate and escalate user reports Inadequate breach detection systems
4. Failure to Maintain Adequate Disclosure Controls My report should have triggered disclosure review Going silent suggests broken escalation process