The U.S. SEC has introduced new rules for publicly traded companies to disclose cyberattacks within four business days if they are considered significant to investors. Foreign private issuers are also required to provide equivalent disclosures. SEC Chair Gary Gensler stated that consistent and comparable disclosure would benefit both companies and investors.
The rules demand listed companies to include cyberattack details in periodic report filings (8-K forms). These rules will be effective from December or 30 days after publication in the Federal Register. Smaller companies will have an additional 180 days to comply. Disclosure timelines may be delayed if immediate disclosure poses a risk to national security or public safety.
The required breach-related information includes the incident’s nature, scope, timing, data compromise, impact on operations, and remediation efforts. However, technical incident response plans and vulnerability details need not be disclosed.
Moody’s Investors Service believes these rules will enhance transparency but could be challenging for smaller companies with limited resources.
