The US Securities and Exchange Commission (SEC) has adopted new rules requiring publicly listed firms to disclose serious incidents within four days.
The regulator voted 3-2 to adopt the rules. The four-day period will start from the time a cyber-incident was determined to be “material.”
Read more on SEC rulings: SEC Announces ‘Enforcement Action’ For SolarWinds Over 2020 Hack
Registrants will need to disclose on a new Item 1.05 of Form 8-K details on the incident’s nature, scope, timing and impact or “reasonably likely material impact,” the SEC said in a note yesterday.
The rules also introduce Regulation S-K Item 106, which will require companies on an annual basis to describe their processes for assessing, identifying and managing cyber risk, as well as the impact of any cyber-threats and previous incidents. It will also require them to detail the board’s oversight of cyber risks and their expertise in assessing and managing these material risks.
Foreign companies that do business in the US will also be required to follow the same rules, the SEC clarified.
“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors,” said SEC chair, Gary Gensler.
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Sumo Logic CSO, George Gerchow, welcomed the news.
“This ruling is a great step towards achieving accountability, to protect the consumers and the investor community. The reality is that most companies are currently ill-prepared to meet the requirement of reporting an incident of material impact within four days,” he argued.
“While we are still waiting [to find out] what the penalties for failing to report will be, we can assume from incidents like Uber that it will lead to a DoJ situation where individuals’ jobs will be on the line.”
He added that the new rules would require organizations to improve the way they discover vulnerabilities and breaches, their reporting mechanisms, and the level of cybersecurity expertise on the board.