On Wednesday, the Securities and Exchange Commission (SEC) announced that it proposed new rules changing the way registered companies report cybersecurity incidents as well as their cyber risk management strategies. The proposed rules aim to better inform investors about a registrant’s risk preparedness and to provide timely notification of cybersecurity incidents in view of underreporting and untimely reporting concerns, the agency said.
With regard to breaches and other hacks, the SEC’s proposed amendments would require companies to disclose “material” cybersecurity incidents on Form 8-K within four business days after adjudging the incident serious enough to disclose.
“[R]egistrants would need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material,” the proposed rules explained. Further, such disclosure would have to specify the nature of the incident, whether it is ongoing, if data was stolen or otherwise manipulated, the impact on the…
