New SEC rules put a time limit on reporting hacks and data breaches

July 26, 2023
25 views

Public companies will now have to disclose cybersecurity incidents sooner, thanks to a rule adopted by the Securities and Exchange Commission. Under the new policy, the SEC will require public companies to report data breaches and hacks four business days after they are discovered.

Companies will have to disclose any cybersecurity incidents on a Form 8-K filing. These publicly available documents typically inform shareholders about major changes to the company — and now they’ll include a new Item 1.05 for cybersecurity incidents. The disclosure should include information on “nature, scope, and timing,” as well as “its material impact or reasonably likely” on the company.

There is an exception to the four-day disclosure requirement, however. The SEC says that the disclosure can be delayed if the US attorney general determines that alerting shareholders to the incident “would pose a substantial risk to national security or public safety.”

Additionally, the SEC carved out a new Regulation S-K Item 106 that will be included on a company’s annual Form 10-K filing. This will require businesses to describe their process “for assessing, identifying, and managing material risks from cybersecurity threats.” Companies must also disclose their management’s ability to assess and manage material risks from cyberattacks.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler says in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

The SEC will start requiring public companies to disclose data breaches starting 90 days after the date of publication in the Federal Register or December 18th, 2023 — whichever comes later. Meanwhile, companies will have to include their cybersecurity protocols in Form 10-K filings starting in the fiscal year ending on or after December 15th, 2023.

Source: The Verge