What the SEC's New Requirements for Disclosure of Cyber Incidents Means for Companies
U.S. SEC Tightens Disclosure Rules for Cyber Incidents
Companies will have to report within 4 days of incident if deemed “material”.
A new era of transparency in reporting cyber-incidents has arrived.
Companies that experience a cyber incident will now be required to publicly disclose details to the U.S. Securities and Exchange Commission (SEC) within four business days after the victimized company deems the incident “material,” under new rules adopted by the agency on July 26, 2023.
The new requirements will require publicly traded companies (“registrants”) to disclose in form 8-K “any cybersecurity incident they determine to be material, and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact
on the registrant."
The new rules will go into effect in varying stages in the coming months but most likely will begin to take effect in the December 2023 timeframe.
The finalized rule will result in a rising tide of incident disclosures from which journalists, analysts, investors and others will feed. Couple the new rule with more sophisticated and outspoken hackers, and companies face an even more perilous cyber communications landscape. The need for preparation and thoughtful, strategic communications throughout a cyber incident has never been greater or more important.
Though somewhat less onerous than the proposed rules, the final rules still require accelerated incident reporting and for companies to “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
The new rule will also require public companies to “describe their boards’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a company’s annual Form 10-K.”
FGS Global is a leading cybersecurity strategic communications advisor and has counseled hundreds of public and private organizations in many of the most high-profile cyber incidents, both in the U.S. and globally. FGS Global's cyber experts appear frequently on leading cyber industry conference panel discussions, including the Incident Response Forum Masterclass.