SEC Adopts New Rules Requiring Prompt Cyberattack Disclosures for Public Companies

The U.S. Securities and Exchange Commission (SEC) in recent news has announced to adopted new rules. These rules instruct publicly traded companies to announce cyberattacks within four business days after declaring them as material incidents. The SEC explains material incidents as those that shareholders would consider important when making investment decisions. The rules also apply to foreign private issuers, needing them to provide equivalent disclosures following cybersecurity breaches.

Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors

said SEC Chair Gary Gensler.

Gary Gensler emphasized the need for consistent, comparable, and decision-useful cybersecurity disclosures for both companies and investors. The new rules aim to ensure that cybersecurity information is disclosed in a timely manner, benefiting the markets and the stakeholders involved in it.

Reporting Obligations For Listed Companies

Mentioned companies must now ensure to include specific details about the cyberattack, such as its nature, scope, and timing, in their periodic report filings, specifically on Form 8-K.

SEC form 8-K

The new incident reporting rules will take effect in December or 30 days after publication in the Federal Register. Smaller companies will have an extra 180 days to give form 8-K disclosures.

However, in specific situations, the disclosure timeline may be extended if the U.S. Attorney General determines that an immediate disclosure might cause a significant risk to national security or public safety.

SEC Commitment to Transparency

The SEC’s decision to implement these new rules follows its announcement more than a year ago, in March 2022. In order to enhance the transparency of cybersecurity risk management and strategy. The disclosure requirements include the date of discovery, the status of the incident, and a concise description of the incident’s nature and extent. Also, the information on compromised or accessed data and the impact of the incident on the company’s operations.

While the new rules aim to increase transparency and improvements in cyber defenses, they may pose challenges for small-scale companies with limited resources. Nonetheless, the SEC believes that consistent and timely cybersecurity disclosures will be instrumental in increasing investor confidence and overall market stability.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

Hello Cybersecuriters!

EU Imposes Additional Sanctions on Russia for Ukraine Invasion

Decentralized Crypto Exchange: Attacker Made $9M In Crypto

DHS Proposes Harmonization of Cyber Incident Reporting in New Report