New SEC Rules Demand More Transparency Surrounding Cyberattacks

New SEC rules demand more transparency surrounding cyberattacks. The new rules in question will be putting a time limit in regard to reporting data breaches and hacks.

New SEC Rules Surrounding Cyberattacks

New SEC Rules Surrounding Cyberattacks

Public companies reportedly will now have to disclose cybersecurity incidents sooner, all thanks to a rule that was adopted by the Securities and Exchange Commission. And under the new policy, the SEC in question will require public companies to make reports of data breaches and hacks four business days after they have been discovered.

Companies will now have to reportedly disclose any cybersecurity incidents on a Form 8-K filing. These publicly available documents as you should know typically inform shareholders about major changes to the firm and now with this new rule in place, they will include a new Item 1.05 for incidents regarding cybersecurity. The very disclosure that should be made should include information on “nature, scope, and timing,” as well as “its material impact or reasonably likely” on the company.

The exception to the New Rule

There is however an exception to the four-day disclosure requirement. The SEC reportedly says that the disclosure can be delayed in the event that the US attorney general determines that calling the attention of shareholders to the incident “would pose a substantial risk to national security or public safety.”

Additionally, the SEC has carved out a new Regulation S-K Item 106 that will be included on an annual Form 10-K filing of a company. This very regulation will require businesses to describe their process “for assessing, identifying, and managing material risks from cybersecurity threats.” Companies however must also disclose the ability to assess and manage material risks from cyberattacks by their management.

What SEC Has To Say About This New Development

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler in a statement stated. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Several companies in recent months have become victims of cyberattacks, and this is inclusive of Roblox, T-Mobile, and even Google. Hundreds of businesses also have been affected by a cyberattack attack on the file transfer tool MOVEit, and that every number in question continues to grow as more companies come forward.

When SEC Requires Public Companies to Disclose Data Breaches

The SEC on the other hand will begin requiring public companies to disclose data breaches beginning 90 days after the date of publication in the Federal Register or December 18th, 2023, whichever of them comes later. Companies Meanwhile will have to include their cybersecurity protocols in Form 10-K filings beginning in the fiscal year ending which is on or after December 15th, 2023.

Hopefully, this simply will mean that soon we will be able to learn when our data is compromised a lot faster than it used to.



Please enter your comment!
Please enter your name here