New SEC Rule Requires Quicker Disclosure of Cybersecurity Incidents
McCreary County Record – The Securities and Exchange Commission (SEC) has recently passed a new rule aimed at enhancing cybersecurity transparency among public companies. This rule mandates that companies must disclose any data breaches or cyberattacks within four business days of discovering them.
Under the new regulation, the disclosure of these incidents must be included in a publicly available Form 8-K filing. Form 8-K is a document that provides shareholders with vital information regarding significant changes within a company. Companies must include details about the nature, scope, timing, and material impact of the cybersecurity incident in this filing.
However, disclosure can be delayed if the US attorney general determines that notifying shareholders would pose a substantial risk to national security or public safety. This provision ensures that sensitive information is protected while maintaining transparency to shareholders when possible.
Another important aspect of this new rule is the inclusion of Regulation S-K Item 106 in the annual Form 10-K filing. This requirement mandates that companies describe their process for assessing, identifying, and managing material risks stemming from cybersecurity threats. Additionally, businesses must also disclose the management’s ability to assess and manage risks from cyberattacks.
The SEC believes that establishing consistent and comparable cybersecurity disclosure standards will benefit both companies and investors. By requiring prompt reporting and thorough descriptions of cybersecurity incidents, investors will be better equipped to understand the potential risks associated with the companies they invest in.
The new rule will go into effect either 90 days after publication in the Federal Register or on December 18th, 2023, whichever date comes later. Consequently, companies will need to include their cybersecurity protocols in their Form 10-K filings starting in the fiscal year that ends on or after December 15th, 2023.
The SEC’s new rule reflects a growing recognition of the critical importance of cybersecurity in today’s digital landscape. By enforcing timely and comprehensive disclosure of data breaches and cyberattacks, the SEC aims to protect investors and foster greater transparency in corporate governance.
“Zombie enthusiast. Subtly charming travel practitioner. Webaholic. Internet expert.”