Current federal law requires public companies that have experienced recent cyberattacks to disclose relevant information to the U.S. Securities and Exchange Commission. Such companies must also file yearly reports about their cybersecurity risk management, strategy and governance practices.
The SEC adopted these new rules in 2023 to ensure shareholders and investors have consistent access to information that might reasonably affect their investment decisions.
Cyberincident disclosure requirements
Under current SEC cybersecurity disclosure rules, a public company must report any “material” cyberincident — meaning one that significantly affects the firm’s ability to conduct business.
The organization must complete and file Form 8-K Item 1.05 within four business days of making a materiality determination, which should happen “without unreasonable delay.”
The organization should disclose the following material details in the filing:
- The nature of the incident — i.e., what happened.
- The scope of the incident — i.e., the extent to which corporate assets, such as systems, services and data, were compromised.
- The timing of the incident and incident response –…
