The Securities and Exchange Commission (SEC) has recently enacted a rule that mandates public corporations to reveal cybersecurity breaches more promptly. Going forward, the SEC insists that such companies report any data compromises or hacks within four business days of detection.
Such revelations are expected to appear on a Form 8-K filing, a publicly accessible document usually used to inform investors about significant shifts within the company. This document will feature a fresh Item 1.05, dedicated to cybersecurity incidents. The information disclosed should shed light on the “nature, scope, and timing” of the incident and its potential or actual substantial impact on the company.
There’s a slight deviation from the four-day revelation rule. According to the SEC, companies can postpone the disclosure if the US Attorney General concludes that notifying investors about the incident could “pose a significant threat to national security or public safety.”
In addition, the SEC has introduced a new Regulation S-K Item 106 to be included in a company’s yearly Form 10-K filing. This will necessitate businesses to outline their strategies for “evaluating, recognizing, and handling significant risks from cybersecurity threats.” It will also demand information about management’s ability to evaluate and manage substantial cyberattack risks.
SEC Chair Gary Gensler, in a statement, drew a comparison between physical and digital losses, saying, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.” He also added that while many public companies already offer cybersecurity disclosure to investors, both the companies and investors could benefit from more consistent, comparable, and useful disclosure practices.
Cyberattacks have been on the rise, with numerous companies like Roblox, T-Mobile, and Google falling victim. A cyberattack has also impacted many businesses on the file transfer tool MOVEit, and this number is on the rise as more victims step forward.
The rule will take effect 90 days post-publication in the Federal Register or on December 18th, 2023, whichever is later. Meanwhile, details about cybersecurity protocols must be included in Form 10-K filings from the fiscal year ending on or after December 15th, 2023.
This new policy will allow us to discover data compromise much more quickly in the future.