Public companies will now have to disclose cybersecurity incidents sooner, thanks to a rule adopted by the Securities and Exchange Commission. Under the new policy, the SEC will require public companies to report data breaches and hacks four business days after they are discovered.
Companies will have to disclose any cybersecurity incidents on a Form 8-K filing. These publicly available documents typically inform shareholders about major changes to the company — and now they’ll include a new Item 1.05 for cybersecurity incidents. The disclosure should include information on “nature, scope, and timing,” as well as “its material impact or reasonably likely” on the company.
We @SECGov adopted rules regarding cybersecurity disclosures by public companies.
These rules will enhance & standardize disclosures to investors with regard to public companies’ cybersecurity practices as well as material cybersecurity incidents.
— Gary Gensler (@GaryGensler) July 26, 2023
There is an exception to the four-day disclosure requirement, however. The SEC says that the disclosure can be delayed if the US attorney general determines that alerting shareholders to the incident “would pose a substantial risk to national security or public safety.”
Additionally, the SEC carved out a new Regulation S-K Item 106 that will be included on a company’s annual Form 10-K filing. This will require businesses to describe their process “for assessing, identifying, and managing material risks from cybersecurity threats.” Companies must also disclose their management’s ability to assess and manage material risks from cyberattacks.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler says in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
In recent months, several companies have become victims of cyberattacks, including Roblox, T-Mobile, and Google. Hundreds of businesses have also been affected by a cyberattack attack on the file transfer tool MOVEit, and that number continues to grow as more companies come forward.
The SEC will start requiring public companies to disclose data breaches starting 90 days after the date of publication in the Federal Register or December 18th, 2023 — whichever comes later. Meanwhile, companies will have to include their cybersecurity protocols in Form 10-K filings starting in the fiscal year ending on or after December 15th, 2023.
Hopefully, this means soon we’ll be able to learn when our data is compromised a heckuva lot faster.