Security News > 2022 > March > SEC wants public companies to report breaches within four days
The US Securities and Exchange Commission has proposed rule amendments to require publicly traded companies to report data breaches and other cybersecurity incidents within four days after they're discovered.
According to newly proposed amendments to current rules, listed companies would have to provide information in periodic report filings on policies, implemented procedures, and the measures taken to identify and manage cybersecurity risks on Form 8-K. The amended rules would also instruct companies to provide updates regarding previously reported security breaches.
The SEC wants public companies to share regular disclosures regarding their management's role in implementing cybersecurity procedures and policies, as well as on their board of directors' cybersecurity expertise and oversight of cybersecurity risk.
"We believe that the proposed requirement to file an Item 1.05 Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident would significantly improve the timeliness of cybersecurity incident disclosures, as well as provide investors with more standardized and comparable disclosures," the Wall Street regulator said [PDF].
These proposed amendments are designed to provide investors with timely notifications of security breaches affecting listed companies and better inform them regarding their cybersecurity risk management and strategy.
"Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. A lot of issuers already provide cybersecurity disclosure to investors," SEC Chair Gary Gensler added.