The U.S. Securities and Exchange Commission has introduced a new rule mandating public companies to promptly disclose cybersecurity incidents within four business days. According to SEC Chair Gary Gensler, such disclosure could be crucial for investors and beneficial for the companies and the markets they are associated with.
In the past, public companies have provided cybersecurity disclosures to investors, but the SEC aims to enhance the process by making it more consistent, comparable, and decision-useful for all stakeholders.
The new regulation, proposed in March 2022, was prompted by the increased cybersecurity risks resulting from companies’ transition to remote work, increased digitalization, usage of digital payments, reliance on third-party service providers such as cloud computing, and the monetization of cybersecurity incidents by cyber criminals.
What is the SEC cyber disclosure rule?
Under the new rules, companies must fill out a newly introduced 8-K form with an added Item 1.05 to report cybersecurity incidents. They are required to disclose and describe the nature, scope, and timing of the incident, as well as any material impact or reasonably likely material impact, including the financial condition and results of operations.
Companies must report incidents with significant effects within four days. However, if immediate disclosure poses a risk to national security or public safety, the disclosure may be delayed if the U.S. Attorney General deems it necessary.
The regulation also mandates companies to describe their process for assessing cybersecurity threats, the oversight of cybersecurity threats by their board of directors, and how management evaluates the threat.
For foreign companies, the amended 6-K form will be used for disclosing cybersecurity incidents, while the amended 20-F form will be used for periodic disclosure.
