Publicly-owned companies in the U.S. are now required to adhere to new cybersecurity disclosure rules set by the SEC. These rules demand the reporting of “material” cyber incidents within 96 hours. The implications of non-compliance are significant, as organizations could face penalties from the U.S. Securities and Exchange Commission (SEC).
Key Takeaway
The SEC’s new cybersecurity disclosure rules require publicly-owned companies to report “material” cyber incidents within 96 hours. Non-compliance can result in significant consequences, and companies must ensure timely and accurate reporting to avoid penalties.
Reporting Requirements
Under the new regulations, organizations must report cybersecurity incidents, including data breaches, to the SEC within four business days. This information should be included in a specific line item on a Form 8-K report. The aim of these rules is to enhance transparency in cybersecurity governance and provide consistent and comparable disclosure for the benefit of investors and companies.
Disclosure Details
Companies must describe the nature, scope, timing, and material impact of the breach in their 8-K filing. Notably, the regulation does not mandate the disclosure of information regarding the incident’s remediation status, ongoing recovery efforts, or compromised data.
Extensions and Exceptions
Smaller companies have been granted a 180-day extension before they must file their Form 8-K. Additionally, there is an exception to the four-day deadline for larger organizations if premature disclosure could pose a substantial risk to national security or public safety, as determined by the U.S. attorney general.
Consequences of Non-Compliance
Failure to comply with the new rules can lead to various consequences, including financial penalties, legal liabilities, reputational damage, loss of investor confidence, and regulatory scrutiny. Recent actions by the SEC against companies and individuals have demonstrated the seriousness of non-compliance.
Pushback and Concerns
Some companies have expressed concerns about the short reporting window and the SEC’s definition of “material incidents.” There is also apprehension that the breadth of information required to be disclosed may provide insight to hackers. In a concerning development, hackers have already exploited the new rules to file complaints against their victims.