SEC Mandates Rapid Cyberattack Disclosures, Companies Must Act Within 4 Business Days
The U.S. Securities and Exchange Commission (SEC) has taken a significant step towards enhancing cybersecurity transparency for publicly traded companies. The SEC has adopted new rules that mandate the disclosure of cyberattacks within four business days of determining their material impact on the organization. Material incidents, as defined by the Wall Street watchdog, are events that shareholders would find essential when making investment decisions.
Additionally, the SEC’s regulations now require foreign private issuers to provide equivalent disclosures following cybersecurity breaches, ensuring a consistent approach to reporting across borders.
SEC Chair Gary Gensler highlighted the importance of consistent, comparable, and decision-useful disclosure of cybersecurity incidents, which will benefit investors, companies, and the overall market.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
The newly adopted rules will require listed companies to include detailed information about cyberattacks, including the nature, scope, and timing of the incident, in periodic report filings, specifically on 8-K forms. The rules will take effect in December or 30 days after publication in the Federal Register. However, smaller companies will have an additional 180 days before they are required to provide Form 8-K disclosures.
To address national security or public safety concerns, the disclosure timeline may be postponed if determined by the U.S. Attorney General.
These rules aim to increase transparency for investors and improve their understanding of cybersecurity risk management and strategy. Companies will be required to disclose specific breach-related information, such as:
- the date of discovery,
- incident status,
- incident description,
- compromised data details,
- impact on operations,
- and ongoing or completed remediation efforts.
Trending: Digital Forensics Tool: ScrapPy
However, the SEC does not expect companies to disclose technical specifics of their incident response plans or potential vulnerabilities that could influence their response or remediation actions.
While the new rules will enhance transparency and facilitate comparisons among practices, some experts, such as Lesley Ritter, Senior Vice President for Moody’s Investors Service, anticipate challenges for smaller companies with limited resources in meeting the new disclosure standards. Nonetheless, these rules mark a significant step towards ensuring timely and comprehensive reporting of cyber incidents, benefiting investors, companies, and the broader financial market.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
