SEC Now Requires Companies To Disclose Cyberattacks In 4 Days

The U.S. Securities and Exchange Commission (SEC) has implemented new rules requiring publicly traded companies to disclose any cyberattacks considered material incidents within four business days of discovery. According to the Wall Street watchdog, material incidents are those that a public company’s shareholders would consider important “in making an investment decision.” The SEC also adopted new regulations mandating foreign private issuers to provide equivalent disclosures following cybersecurity breaches. Listed companies must now include details about the cyberattack (including the incident’s nature, scope, and timing) in periodic report filings, specifically on 8-K forms.

These new cybersecurity incident reporting rules are set to take effect in December or 30 days after being published in the Federal Register. However, smaller companies will be granted an additional 180 days before they are required to provide Form 8-K disclosures. In some instances, the disclosure timeline may also be postponed if the U.S. Attorney General determines that an immediate disclosure would pose a significant risk to national security or public safety. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler today.

“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”