The U.S. Securities and Exchange Commission has adopted new rules requiring publicly traded companies to disclose cyberattacks within four business days after determining they’re material incidents.
According to the Wall Street watchdog, material incidents are those that a public company’s shareholders would consider important “in making an investment decision.”
The SEC also adopted new regulations mandating foreign private issuers to provide equivalent disclosures following cybersecurity breaches.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler today.
“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Listed companies must now include details about the cyberattack (including the incident’s nature, scope, and timing) in periodic report filings, specifically on 8-K forms.