A new rule will be enacted that must be disclosed ``within 4 days'' when a company is hacked

The U.S. Securities and Exchange Commission (SEC) will adopt a new rule on July 26, 2023, requiring companies to disclose within four business days of a cyberattack that is deemed a serious incident. announced. The new rules are expected to provide even greater protection for investors.

SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies


New SEC rule requires public companies to disclose cybersecurity breaches in 4 days | AP News

On July 26, the SEC said, 'Today, we will require registrants to disclose any significant cybersecurity incidents they encounter and annually disclose material information about cybersecurity risk management, strategy, and governance.' We have adopted the rules,” he said.

Publicly traded companies in the United States are required to record special events such as acquisitions, changes in board members, acquisition or sale of significant assets, bankruptcy, etc. in special reports called ' Form 8-K .' Disclosure is obligatory.

The rule change adds a new section to the Form 8-K to disclose cybersecurity incidents that it determines to be serious, explaining the nature, scope and timing of the incident and the significant consequences that it may have. you will be required to do so.

In principle, submissions are due within four business days, but disclosure may be delayed if the Attorney General determines that 'immediate disclosure poses a significant risk to national security or public safety.' .

SEC Chairman Gary Gensler said in a statement: 'When a company loses a factory in a fire or loses millions of files in a cybersecurity incident, we think it's a big deal for investors. Many publicly traded companies still disclose information about cybersecurity to investors, but if this was done in a more uniform, comparable, and decision-useful manner, investors would It will also benefit the company,” he said.

The new rules also include an annual report, Form 10-K , that outlines processes for assessing, identifying, and managing material risks from cybersecurity threats and assessing risks from past cybersecurity incidents. It also included reporting on the impact, the management team making these decisions, and so on.

The new regulation comes after a so-called supply chain hack by Russian cybercriminals against the popular file transfer program MOVEit . Many organizations suffered large-scale data breaches in this incident, but the slow disclosure has slowed the full picture.

When the ransomware group ``Cl0p'' exposes confidential information to hundreds of companies, the ultimatum of extortion, BBC and airlines are threatened and it develops into a super-large incident and the deadline is approaching - GIGAZINE

'The rule could bring transparency to an opaque and growing risk and spur better cyber defenses,' said Leslie Ritter, senior vice president at credit rating agency Moody's Investors Service. There is a possibility,' he commented.

Amit Yoran, CEO of cybersecurity company Tenable, also said, ``For a long time, large American companies have viewed cybersecurity as a ``nice to have'' rather than a ``must have''. It is very clear that cybersecurity must be strengthened within the organization,” he said, welcoming the new regulations.

Opposing Republican Hester Peirce said in a statement , 'The new rule goes beyond the powers of the SEC and puts the needs of would-be hackers above the needs of investors seeking financially material information.' It seems to meet the needs of the company, ”he said, expressing concern that excessive disclosure of security systems may make companies more vulnerable to cyberattacks.

in Security, Posted by log1l_ks