- The Securities and Exchange Commission (SEC) of the United States has introduced new regulations requiring publicly traded companies to disclose cyberattacks within four business days of determining that they are material incidents.
- Considered significant by shareholders when making investment decisions, material events are deemed material.
- Following cyberattacks, foreign private issuers are also required to provide equivalent disclosures.
- The disclosures must contain information regarding the cyberattack, including its nature, scope, and chronology, and must be included in periodic report filings (specifically on 8-K forms).
- The new rules will go into effect in December, but smaller companies will have an additional 180 days before Form 8-K disclosures are required. If immediate disclosure poses substantial risks to national security or public safety, the timeline for disclosure may be extended under certain conditions.
The U.S. Securities and Exchange Commission has adopted new regulations mandating that publicly traded companies disclose cyberattacks within four business days of determining that they are material incidents.
According to the Wall Street watchdog, material events are those that shareholders of a public company would consider significant “in making an investment decision.”
In addition, the SEC adopted new regulations requiring foreign private issuers to provide equivalent disclosures in the aftermath of cyberattacks.
Key information required in cyber breach disclosures, SEC clarifies
“Whether a company loses a facility in a fire or millions of files in a cyberattack, it may have a significant impact on investors. SEC Chair Gary Gensler stated that a majority of public companies provide investors with cybersecurity disclosure.
“I believe that both companies and investors would benefit from more consistent, comparable, and decision-useful disclosure of this information. By ensuring that companies disclose material cybersecurity information, the rules of today will benefit investors, companies, and the interconnected markets.”
Listed companies are now required to include details about the cyberattack (including the nature, scope, and timeline of the incident) in periodic report filings, specifically on 8-K forms.
The new rules for reporting cybersecurity incidents are scheduled to go into effect in December, or 30 days after publication in the Federal Register.
However, smaller companies will be granted an additional 180 days before Form 8-K disclosures are required. If the U.S. Attorney General determines that immediate disclosure would pose a significant risk to national security or public safety, the timeline for disclosure may be extended in certain circumstances.
Disclosures made in a timely manner to enhance transparency
The SEC disclosed intentions to adopt these new rules in March 2022 more than a year ago, in March 2021. The new rules (PDF) provide investors with prompt notices of security incidents affecting listed companies, thereby enhancing their comprehension of cybersecurity risk management and strategy.
They require the disclosure of the following breach-related information (if available at the time of Form 8-K filing):
- The date of the incident’s discovery and its current status (ongoing or resolved).
- A concise description of the nature and scope of the incident.
- Any information that has been compromised, altered, accessed, or used without permission.
- The incident’s effects on the company’s operations.
- Information regarding the company’s ongoing or completed remediation initiatives.
However, affected companies are not expected to disclose the technical details of their incident response plans or information about potential vulnerabilities that could impact their response and remediation actions. According to Lesley Ritter, Senior Vice President of Moody’s Investors Service, the new rules will increase transparency, but they will likely be difficult for smaller companies.
“The cybersecurity disclosure rules adopted earlier today by the U.S. Securities and Exchange Commission will provide more transparency into an otherwise opaque but growing risk, as well as greater consistency and predictability,” Ritter told BleepingComputer.
“Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but smaller companies with fewer resources may find it more difficult to meet the new disclosure standards.”
Featured image credit: Unsplash.