The U.S. Securities and Exchange Commission has adopted new rules requiring publicly traded companies to disclose cyberattacks within four business days after determining they’re material incidents.
According to the Wall Street watchdog, material incidents are those that a public company’s shareholders would consider important.
The SEC also adopted new regulations mandating foreign private issuers to provide equivalent disclosures following cybersecurity breaches.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler today.
“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Listed companies must now include details about the cyberattack (including the incident’s nature, scope, and timing) in periodic report filings, specifically on 8-K forms.
These new cybersecurity incident reporting rules are set to take effect in December or 30 days after being published in the Federal Register.
However, smaller companies will be granted an additional 180 days before they are required to provide Form 8-K disclosures.
In some instances, the disclosure timeline may also be postponed if the U.S. Attorney General determines that an immediate disclosure would pose a significant risk to national security or public safety.
Timely disclosures designed to increase transparency
Today’s announcement follows plans to adopt these new rules revealed by the SEC more than a year ago, in March 2022.
The new rules (PDF) provide investors with prompt notifications about security incidents that impact listed companies, improving their understanding of cybersecurity risk management and strategy.
They require the disclosure of the following breach-related information (provided it is available at the time of filing Form 8-K):
The date of discovery and status of the incident (ongoing or resolved).
A concise description of the incident’s nature and extent.
Any data that may have been compromised, altered, accessed, or used without authorization.
The impact of the incident on the company’s operations.
Information about ongoing or completed remediation efforts by the company.
However, affected companies are not expected to disclose technical specifics of their incident response plans or details about potential vulnerabilities that might influence their response or remediation actions.
According to Lesley Ritter, Senior Vice President for Moody’s Investors Service, the new rules will increase transparency but will likely prove challenging for smaller companies.
“The cybersecurity disclosure rules adopted by the U.S. Securities and Exchange Commission earlier today will provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability,” Ritter told BleepingComputer.
“Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources.”