SEC Requirements for Cyberattack Disclosures by Publicly Traded Companies
The U.S. Securities and Exchange Commission (SEC) has implemented new regulations mandating prompt disclosures of cyberattacks for publicly traded companies. These rules require companies to report material cyber incidents within four business days, a crucial factor for shareholders in making investment decisions.
The scope of material incidents includes cybersecurity breaches that may result in significant consequences for a company, akin to losses from other physical incidents such as fires. The goal of the SEC is to ensure consistent, comparable, and decision-useful disclosures, benefiting investors, companies, and the financial markets.
Foreign private issuers are also bound by the new regulations and must provide equivalent cybersecurity breach disclosures. As part of the requirements, listed companies must include comprehensive details about the cyberattack’s nature, scope, and timing in their periodic report filings, specifically on 8-K forms.
Effective Date / Timing
The effective date of these new cybersecurity incident reporting rules will be for annual reports for fiscal years ending on or after December 15th of 2023 or 30 days after their publication in the Federal Register. Smaller companies will receive an additional 180-day grace period before being required to submit Form 8-K disclosures.
In certain situations, the disclosure timeline may be postponed if the U.S. Attorney General deems immediate disclosure to pose a significant risk to national security or public safety.
Purpose of New SEC Requirements for Cyberattack Reporting
The SEC’s initiative aims to enhance transparency for investors and provide them with timely notifications regarding cybersecurity incidents impacting listed companies. By offering insight into cybersecurity risk management and strategy, these rules aim to improve investors’ understanding of the cyber threat landscape.
The required breach-related information for disclosure includes the date of discovery and incident status, a concise description of the incident’s nature and extent, details about compromised data, and the impact on the company’s operations. Additionally, companies must disclose information on ongoing or completed remediation efforts.
While the new rules seek to increase transparency and encourage improvements in cyber defenses, they may present challenges for smaller companies with limited resources, as pointed out by Lesley Ritter, Senior Vice President for Moody’s Investors Service.
ATYXIT strives on providing enterprise-grade technology solutions (including cyber security) for small to medium sized businesses at a fraction of the usual cost. If you believe your company may be impacted by these new SEC requirements for cybertattack reporting, or simply want to be proactive about protecting your business from such threats, reach out to us today and we’ll be happy to help.
In conclusion, the SEC’s new requirements for cyberattack disclosures by publicly traded companies aim to strengthen transparency and inform investors about cybersecurity risks and incidents affecting these organizations. Timely and comprehensive disclosures will play a crucial role in helping investors make informed decisions and understand the potential impact of cyber incidents on the companies they invest in.