The Securities and Exchange Commission (SEC) is set to adopt a new rule that would require all public companies to disclose cybersecurity incidents within four business days of their discovery.
The rule, which is still in the proposal stage, would also require companies to provide annual reports on their cybersecurity risk management practices.
SEC’s move is a response to the growing number and severity of cyberattacks. In recent years, there have been a number of high-profile cyberattacks, with data breaches at Equifax being among the worst.
The proposal requires companies to disclose whether their board of management has any cybersecurity expertise and how it oversees security management. However, debates are still underway as to what constitutes a cybersecurity incident.
What is clear is the new rule would require companies to disclose any cybersecurity incident that is “material” to investors. Some reports say this could include incidents that involve the theft of customer data, the loss of intellectual property or the disruption of business operations.
The rule would also require companies to describe the nature of the incident, its impact on the company and the steps that the company has taken to mitigate the incident.
Once the rule is in effect, companies will have up to 90 days to begin complying. Smaller companies will have an additional 180 days.
Add comment