SEC Mandates Cyberattack Disclosure Within Four Days: What It Means for Companies and Investors
This week, the U.S. Securities and Exchange Commission (SEC) announced new regulations requiring publicly traded companies to disclose cyberattacks within four business days of determining they’re material incidents. A significant development in the corporate landscape, these rules aim to increase transparency in the wake of rising cybersecurity threats.
Material incidents, as defined by the SEC, are those that would be deemed important by a public company’s shareholders when making investment decisions. These can range from a factory being lost in a fire to millions of files compromised in a cyberattack.
The Chair of the SEC, Gary Gensler, emphasized that both companies and investors can benefit from this disclosure, especially when made in a consistent, comparable, and decision-useful manner. This will ensure vital cybersecurity information is readily accessible, benefiting investors, companies, and the markets that connect them.
In addition to domestic companies, the new rules also mandate foreign private issuers to provide equivalent disclosures following cybersecurity breaches.
The disclosure must include details about the cyberattack, such as its nature, scope, and timing. This information must be included in the 8-K form filings. However, an additional grace period of 180 days is provided for smaller companies before they must comply with this requirement.
In some instances, if an immediate disclosure is perceived to pose a significant risk to national security or public safety, the U.S. Attorney General may postpone the timeline for disclosure.
These new cybersecurity incident reporting rules are set to take effect in December, or 30 days after being published in the Federal Register.
Required information for the disclosure includes the date of discovery and status of the incident (ongoing or resolved), a brief description of the incident’s nature and extent, any data that may have been compromised, the impact of the incident on the company’s operations, and information about ongoing or completed remediation efforts.
However, companies are not expected to disclose technical specifics of their incident response plans or details about potential vulnerabilities that might influence their response or remediation actions.
While the new rules promise to increase transparency around cybersecurity risks, experts warn that smaller companies may find meeting the new disclosure standards a challenging endeavor due to limited resources.
At Isogent, we believe these new rules will undoubtedly encourage improved cyber defenses and ensure investors have the necessary information to make informed decisions. This is an opportunity for companies to reassess their cybersecurity strategies, refine their response protocols, and establish robust risk management frameworks to navigate the complex digital landscape.
Protect Your Business With Isogent’s Synchronized Security Stack
With Isogent’s Synchronized Security Stack, your organization will be protected from every type of cyberattack and threat. Set up a technology or security assessment today with one of our experts to see how protected your business really is.