SEC says public companies must report cyberattacks in four days
The US Security and Exchange Commission has established a four-day limit for disclosing "material cybersecurity incidents" in an effort to stop publicly traded corporations from withholding information about hackers. In response to cybersecurity breaches, the SEC also passed new rules requiring foreign private issuers to make equal disclosures.
The US attorney general might postpone that disclosure if doing so poses a "substantial risk to national security or public safety." If not, the regulations will act as a stern new benchmark, even if they are a little less strict than the EU's GDPR cyberattack deadline of just three days.
The announcement follows Microsoft receiving criticism from security professionals for taking weeks to acknowledge an attack on Outlook and other internet services.
The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing," reads the SEC's official announcement.
It will go into effect in December
Listed firms must now disclose information regarding the attacks (such as the nature, extent, and timing of the occurrence) in periodic report filings, particularly on 8-K forms. The new guidelines for reporting cybersecurity incidents will go into effect in December, or 30 days after they are published in the Federal Register.
Disclosures are due beginning 90 days from the date of publication in the Federal Register or on December 18, 2023, the Form 8-K and Form 6-K. Smaller reporting corporations will have an extra 180 days before they have to start disclosing information in Form 8-K.
All registrants must begin tagging disclosures required by the final rules in Inline XBRL one year after initially complying with the corresponding disclosure obligation in order to be in compliance with the structured data requirements.
Advertisement
