cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

SEC reveals new cyber incident disclosure rules

The US Securities and Exchange Commission has announced a change to the way companies disclose that they have been affected by a cyber security incident.

user icon David Hollingworth
Thu, 27 Jul 2023
SEC reveals new cyber incident disclosure rules
expand image

Disclosure will now be required within four days of an incident and will now be done via the same format as any other change the company may make that could have an impact on investors.

The SEC has also said that the same regulations apply to foreign private issuers, which is generally a company incorporated outside the country but does a large amount of business in the US.

The disclosure must include the “nature, scope, and timing” of the incident, as well as what kind of impact it has had – or may have – on the company’s operations.

“Whether a company loses a factory in a fire – or millions of files in a cyber security incident – it may be material to investors,” SEC chair Gary Gensler said in a statement. “Currently, many public companies provide cyber security disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cyber security information, today’s rules will benefit investors, companies, and the markets connecting them.”

In addition, the SEC will now require listed companies to clearly state their processes for identifying and mitigating any cyber incident, board oversight on such incidents, and management’s expertise in managing the risks and likely impacts of such incidents.

The one exception to the four-day rule, however, is if the US Attorney-General feels such an action would “pose substantial risk to national security or public safety”.

The new rules will come into effect within 90 days of them being officially listed in the federal register or by 18 December 2023 – whichever is later.

Comments powered by CComment

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.