The U.S. Securities and Exchange Commission (SEC) has introduced groundbreaking regulations necessitating publicly traded corporations to divulge cyberattacks within four business days once they ascertain that these incidents are of material significance.
Material incidents denote those that carry substantial weight in the decision-making process of a public company’s shareholders concerning their investments.
Foreign private issuers are not exempt from these requirements, as the SEC has enforced parallel regulations mandating them to disclose cybersecurity breaches with the same level of detail.
Gary Gensler, the SEC Chair, underscores the importance of uniform and comparable disclosure of cybersecurity incidents, emphasizing how this approach will prove advantageous to investors, companies, and the broader markets.
The specified details about the cyberattack, such as its nature, extent, and timing, must be included in the periodic report filings of listed companies, particularly in their 8-K forms.
The implementation of these new cybersecurity incident reporting rules will commence in December or 30 days following their publication in the Federal Register.
To allow smaller companies ample time to comply, a grace period of 180 days has been granted before they are obligated to provide Form 8-K disclosures.
In certain cases, the disclosure timelines may be extended if immediate reporting poses significant risks to national security or public safety, as evaluated by the U.S. Attorney General.
The essence of these new rules lies in providing investors with timely notifications regarding security incidents, thereby enhancing their comprehension of cybersecurity risk management and strategic planning.
Companies must furnish essential information such as the date of discovery and status of the incident, a concise description of its nature and extent, details about the compromised data, and the impact on the company’s operations. Moreover, they are required to disclose ongoing or completed remediation efforts.
However, specific technicalities related to the incident response plans or potential vulnerabilities that could impact the response or remediation actions are exempt from disclosure.
Despite the benefits of improved transparency, smaller companies with limited resources may encounter challenges in meeting the disclosure standards set forth by these new regulations.
It is noteworthy that the SEC had originally announced its intention to adopt these regulations more than a year ago, in March 2022, and now they have been finalized and put into effect, aiming to bolster transparency and consistency in cybersecurity incident reporting.
