The Security and Exchange Commission has adopted new rules that require companies to disclose cybersecurity incidents within four business days of discovery.
As cybersecurity incidents increase in frequency and cost, the impact on investors can be devastating. As a result, the SEC wants businesses to be more transparent about such incidents, disclosing them sooner.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
While the rules require businesses to disclose breaches within four business days of discovery, there is at least one instance in which a delay may be acceptable.
The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.
The new regulations will also require companies “to describe their processes, if any, assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”