SEC proposes four-day rule for public companies to report cyberattacks

2022-03-09 21:16

A new rule proposed by the US Securities and Exchange Commission would force public companies to disclose cyberattacks within four days along with periodic reports about their cyber-risk management plans.

Specifically, the proposed rule would amend the Form 8-K reporting requirements to include cybersecurity incident disclosure "Within four business days after the registrant determines that it has experienced a material cybersecurity incident." The 8-K is the form that the SEC requires public companies file to publicly announce corporate changes or big events that may be material to shareholders.

"Today, cybersecurity is an emerging risk with which public issuers increasingly must contend," SEC Chair Gary Gensler said in a statement.

"Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner."

The proposed SEC rule comes as similar cyber reporting mandates are finally picking up steam with more members of the US Congress.

It would, among other things, require critical infrastructure operators and federal agencies to report cyberattacks and ransomware payments.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/09/sec_cyberattack_disclosure/

#cyberattack #report #SEC