The Securities and Exchange Commission (SEC) adopted a new rule on Wednesday requiring registrants to disclose details of cyberattacks within four business days after a hack is identified as “material.”
“Currently, many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The new requirement mandates that all registrants, including publicly traded companies and foreign private issuers, reveal the hack’s nature, scope, timing, and material impact to investors. However, the disclosure may be delayed up to 60 days if it’s determined it would pose a “substantial risk to national security or public safety.” In this case, registrants would have to notify the SEC of the delay in writing.
Registrants will also be required to disclose material information regarding their cybersecurity risk management practices, strategies, and governance on an annual basis. Registrants must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or “reasonably likely material effects” of risks from cybersecurity threats and previous cybersecurity incidents, said the government agency.
The SEC will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats, and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
The final rules will become effective 30 days following publication of the rule in the Federal Register, according to the SEC.
The new rule comes at a time when more companies face cyber risk and exposure to investors’ personal information. Earlier this month, a data breach exposed the names, Social Security numbers, dates of birth, and mailing addresses of close to 172,000 retirees and beneficiaries in the Tennessee Consolidate Retirement System (TCRS).
Just a few weeks before in June, a third-party cyber hack impacted 769,000 retirees in the California Public Employees’ Retirement System (CalPERS), compromising names, birth dates, and Social Security numbers.
SEE ALSO: