SEC Imposes Stricter Rules on Cybersecurity Incident Disclosure

Reading Time: ( Word Count: )

July 27, 2023

The Securities and Exchange Commission (SEC) has recently enacted a rule that mandates public corporations to reveal cybersecurity breaches more promptly. Going forward, the SEC insists that such companies report any data compromises or hacks within four business days of detection.

Such revelations are expected to appear on a Form 8-K filing, a publicly accessible document usually used to inform investors about significant shifts within the company. This document will feature a fresh Item 1.05, dedicated to cybersecurity incidents. The information disclosed should shed light on the “nature, scope, and timing” of the incident and its potential or actual substantial impact on the company.

There’s a slight deviation from the four-day revelation rule. According to the SEC, companies can postpone the disclosure if the US Attorney General concludes that notifying investors about the incident could “pose a significant threat to national security or public safety.”

Also Read: Unravelling the ‘Nitrogen’ Malware Leveraging Google and Bing Ads

SEC Imposes Stricter Rules on Cybersecurity

In addition, the SEC has introduced a new Regulation S-K Item 106 to be included in a company’s yearly Form 10-K filing. This will necessitate businesses to outline their strategies for “evaluating, recognizing, and handling significant risks from cybersecurity threats.” It will also demand information about management’s ability to evaluate and manage substantial cyberattack risks.

SEC Chair Gary Gensler, in a statement, drew a comparison between physical and digital losses, saying, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.” He also added that while many public companies already offer cybersecurity disclosure to investors, both the companies and investors could benefit from more consistent, comparable, and useful disclosure practices.

Cyberattacks have been on the rise, with numerous companies like Roblox, T-Mobile, and Google falling victim. A cyberattack has also impacted many businesses on the file transfer tool MOVEit, and this number is on the rise as more victims step forward.

The rule will take effect 90 days post-publication in the Federal Register or on December 18th, 2023, whichever is later. Meanwhile, details about cybersecurity protocols must be included in Form 10-K filings from the fiscal year ending on or after December 15th, 2023.

This new policy will allow us to discover data compromise much more quickly in the future.

Lucas Maes

Lucas Maes


Cybersecurity guru, encryption wizard, safeguarding data with 10+ yrs of IT defense expertise. Speaker & author on digital protection.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *