Share this article on:
The US Securities and Exchange Commission has announced a change to the way companies disclose that they have been affected by a cyber security incident.
Disclosure will now be required within four days of an incident and will now be done via the same format as any other change the company may make that could have an impact on investors.
The SEC has also said that the same regulations apply to foreign private issuers, which is generally a company incorporated outside the country but does a large amount of business in the US.
The disclosure must include the “nature, scope, and timing” of the incident, as well as what kind of impact it has had – or may have – on the company’s operations.
“Whether a company loses a factory in a fire – or millions of files in a cyber security incident – it may be material to investors,” SEC chair Gary Gensler said in a statement. “Currently, many public companies provide cyber security disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cyber security information, today’s rules will benefit investors, companies, and the markets connecting them.”
In addition, the SEC will now require listed companies to clearly state their processes for identifying and mitigating any cyber incident, board oversight on such incidents, and management’s expertise in managing the risks and likely impacts of such incidents.
The one exception to the four-day rule, however, is if the US Attorney-General feels such an action would “pose substantial risk to national security or public safety”.
The new rules will come into effect within 90 days of them being officially listed in the federal register or by 18 December 2023 – whichever is later.
Comments powered by CComment