Public companies will now be required to disclose cybersecurity incidents sooner, following a rule adopted by the Securities and Exchange Commission. Under the new policy, the SEC will mandate public companies to report data breaches and hacks within four business days of their discovery.
Companies will need to disclose any cybersecurity incidents on a Form 8-K filing. These publicly available documents typically inform shareholders about significant changes within the company—and now, they’ll incorporate a new Item 1.05 specifically for cybersecurity incidents. The disclosure should entail details on the “nature, scope, and timing” of the incident, as well as its potential impact on the company.
However, there is an exception to the four-day disclosure requirement. The SEC states that the disclosure may be delayed if the US attorney general determines that informing shareholders about the incident would pose a substantial risk to national security or public safety.
Additionally, the SEC has introduced a new Regulation S-K Item 106, which will be included in a company’s annual Form 10-K filing. This regulation will require businesses to describe their process for assessing, identifying, and managing material risks arising from cybersecurity threats. Companies must also disclose their management’s ability to assess and manage such risks.
“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” says SEC Chair Gary Gensler in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. However, I believe that both companies and investors would benefit from consistent, comparable, and decision-useful disclosure.”
The SEC will begin enforcing the requirement for public companies to disclose data breaches 90 days after the date of publication in the Federal Register or December 18th, 2023—whichever comes later. Meanwhile, companies will need to include their cybersecurity protocols in Form 10-K filings for the fiscal year ending on or after December 15th, 2023.
Hopefully, this means we’ll soon be able to learn about compromised data at a much faster pace.