(Bloomberg) -- Companies hit by cyberattacks face a four-day deadline for publicly disclosing significant impact under controversial new rules approved Wednesday by the US Securities and Exchange Commission.

Those rules, proposed last year and vigorously contested by trade organizations and businesses, would require publicly traded firms to file details of a cyberattack within four days of identifying that it has a material impact. 

The markets regulator’s disclosure rules are its latest effort to boost transparency into cyber threats after years of relentless attacks against businesses from both criminal gangs and hackers backed by nation states. They also seek to address gaps in existing cybersecurity disclosures, according to the agency.

Publicly traded companies currently rely on SEC guidelines for when to address cyber risks and incidents that are considered relevant for investors. That has created a hodgepodge of cyber incident reporting. Companies that report incidents provide different amounts of detail about the impact and their response to it. Some cyber incidents aren’t reported in a timely manner, while others aren’t disclosed at all.

Companies could delay disclosure if revealing information about a hack would pose a significant risk to national security or public safety, as determined by the US attorney general. The delay, added to the newest version of the rules, responds to business concerns with the commission’s initial proposal. Business groups pushed for the delay clause, arguing that prematurely making a cybersecurity vulnerability or incident public could impede an ongoing law enforcement investigation. 

Laura E. Jehl, a partner focused on cybersecurity at law firm Willkie Farr & Gallagher LLP, said since the four-day countdown begins once a company has identified an attack as material to investors — as opposed to first identifying the breach — it gives it ample time to create a filing in accordance with the rule.

“There’s a misconception that it’s an impossibly quick time line, but four days to make a filing shouldn’t be too onerous,” Jehl said. 

But others pushed back on the requirement. For instance, the Information Technology Industry Council, a trade association, criticized the four-day deadline as too short because companies would be unlikely to know much about the incident at that point. 

Denyette DePierro, US financial services lead at Amazon Web Services public policy department, urged the SEC to reconsider the four-day reporting rule. “Extending time lines for initial incident reporting would allow more complete and accurate disclosures, and minimize the risk of adverse impacts on market participants and investors from responding to active incidents on short time lines,” DePierro wrote, in a letter to the commission in June.

Shardul Desai, a partner at Holland & Knight and a former federal prosecutor, said companies were concerned that the SEC was vague in defining how an incident would become material in the regulator’s eyes. “How much detail is going to be required in that 8K filing without these companies knowing all the details?” he said. 

The SEC has proposed another cyber reporting rule for investment advisers and funds, plus a similar rule for stock exchanges and other US securities market players.

Companies that fail to be forthcoming with information about cyber events can face probes and fines from the SEC over misleading investors. Software firm SolarWinds Corp., for example, has been notified of a potential agency enforcement action in connection to an extensive hacking campaign, disclosed in 2020, that infiltrated computer systems in US government and in corporate America.

(Updates first two graphs with SEC approval.)

©2023 Bloomberg L.P.