SEC Implements New Rule Requiring Tech Firms to Disclose Cybersecurity Breaches in 4 Days

New SEC rules give public companies four days to report cyber attacks.

The US Securities and Exchange Commission (SEC) has introduced new rules that mandate public firms, especially tech companies, to disclose or report cybersecurity breaches within four days.

The regulations also require annual disclosure of critical information about their cybersecurity risk management, strategy, and governance. Additionally, foreign private issuers are obliged to make similar disclosures.

SEC Implements New Rule Requiring Tech Firms to Disclose Cybersecurity Breaches in 4 Days
The US Securities and Exchange Commission (SEC) has introduced new rules that mandate public firms, especially tech companies, to immediately disclose cybersecurity breaches. JIM WATSON/AFP via Getty Images

SEC Orders Cybersecurity Disclosures of Tech Companies

SEC Chair Gary Gensler emphasized the importance of consistent and comparable cybersecurity disclosure, citing its material impact on investors and companies.

With the new rules in place, both investors and firms are expected to benefit from a more streamlined and decision-useful disclosure process, ultimately fostering stronger and more secure markets.

"Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way," Gensler said in a statement.

"Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."

The newly introduced Regulation S-K Item 106 will mandate registrants to describe their processes for assessing, identifying, and managing material cybersecurity risks, including the effects of such risks and previous cybersecurity incidents.

It will also require details about the board of directors' oversight of cybersecurity risks and management's expertise in handling them in a registrant's annual report on Form 10-K.

Foreign private issuers will also be subject to similar disclosure requirements. They must make comparable disclosures on Form 6-K for material cybersecurity incidents and Form 20-F for cybersecurity risk management, strategy, and governance.

SEC Final Rules

The final rules will take effect 30 days after publication in the Federal Register. The Form 10-K and Form 20-F disclosures will be due for fiscal years ending on or after December 15, 2023.

The Form 8-K and Form 6-K disclosures will be due either 90 days after the date of publication in the Federal Register or by December 18, 2023, whichever is later.

Smaller reporting companies are granted an extended period of 180 days to submit the Form 8-K disclosure. Additionally, all registrants must comply with the requirement to tag the necessary disclosures in Inline XBRL one year after their initial compliance with the related disclosure requirement.

By implementing these new rules, the SEC aims to enhance transparency and ensure that cybersecurity incidents are promptly reported, providing investors with crucial information for making well-informed decisions.

The measures are expected to elevate cybersecurity risk management practices and underscore the importance of safeguarding sensitive information in today's increasingly interconnected digital landscape.

Byline
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics