Timely Cyberattack Disclosure Is Now Part of SEC Compliance
SEC compliance now involves a new cybersecurity rule that forces publicly traded companies to disclose cyberattacks within four days of their occurrence.
- Organizations must submit a Form 8-K filing, describing the incident’s nature, scope, timing, and material impact within the specified timeframe.
- Smaller companies receive a 180-day extension for Form 8-K disclosure if they meet the SEC’s defined criteria.
The Securities and Exchange Commission’s (SEC) new cybersecurity disclosure rule has officially gone into effect as of December 18th.
Remember a while back when I told you about the hacker group who snitched to the SEC about a company that failed to disclose its attack? At the time, they were jumping the gun as the rule had not gone into effect yet. Now, however…
SEC compliance now requires publicly traded companies to report “material” cyber incidents within 96 hours (roughly four business days). The aim here is to enhance visibility into cybersecurity governance and provide more consistent, comparable, and decision-useful information for investors and companies alike.
SEC Chair Gary Gensler emphasized the importance of such disclosures, stating, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.”
Under the new cybersecurity disclosure requirements, organizations must report incidents, such as data breaches, within the specified timeframe. They have to describe the incident’s nature, scope, timing, and material impact in the Form 8-K filing.
However, smaller companies, defined by the SEC as those with a public float of less than $250 million or less than $100 million in annual revenues, are granted a 180-day extension for Form 8-K disclosure.
As expected, many companies pushed back, arguing that the given timeframe is insufficient to confirm a breach’s impact, coordinate notifications, and understand the full extent of the incident. But the SEC clarified that companies are not required to disclose specific technical information about their incident response, systems, or potential vulnerabilities.
Some have complained of the SEC’s vague language as the commission did not properly define “material incidents.”
Regardless of complaints, failure to comply could result in financial penalties, legal liabilities, reputational damage, loss of investor confidence, and regulatory scrutiny.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.