SEC requires public companies to report cybersecurity attacks within four days
SEC requires public companies to report cybersecurity attacks within four days
SEC requires public companies to report cybersecurity attacks within four days.
The U.S. Securities and Exchange Commission (SEC) has released a new statement explaining the new rules it is adopting for public companies to report cybersecurity incidents.
The rules will require listed companies to report cybersecurity incidents within four working days of “determining that a cybersecurity incident is a major incident.”
Public companies must disclose any cybersecurity incidents in a new Item 1.05 on Form 8-K, the SEC said.
These companies must also annually disclose material information about their cybersecurity risk management, strategy and governance.
In addition to public companies, the SEC said the rules would require foreign private issuers to disclose similar information.
They must disclose significant cybersecurity incidents on Form 6-K and cybersecurity risk management, strategy, and governance on Form 20-F.
Commenting on the new rules, SEC Chairman Gary Gensler said: “Whether a company catches fire in one hamlet in America or another: Losing a factory in a fire or losing millions of files in a cybersecurity incident can be significant for investors, and many publicly traded companies are now disclosing cybersecurity information to investors.
But I think both companies and investors would benefit greatly if information were disclosed in a more consistent, comparable, and decision-making way.
Today’s rules will benefit investors, companies, and the markets that connect them by helping ensure companies disclose critical cybersecurity information. “
The SEC lists different dates for when the rules will take effect, but in general public companies must begin reporting any security incidents they encounter in mid-December.
With these new rules in place, it could mean we’ll hear about accounts being compromised sooner than before.
That would allow users to respond to hacks more quickly and, if necessary, change passwords for other services they use, potentially disabling hackers who want to make money selling consumers’ account information a lot.
