The Securities and Exchange Commission (SEC) has published a new statement explaining that it’s adopting new rules about public companies reporting cybersecurity incidents. The rules will require public companies to report cybersecurity incidents four business days after a company ‘determines that a cybersecurity incident is material.’
The SEC said that publicly traded companies will have to disclose any cybersecurity incidents on the new Item 1.05 of Form 8–K. They will also have to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
In addition to public companies, the SEC said that the rules will require similar disclosures by foreign private issuers. They will have to use Form 6-K for material cybersecurity incidents and Form 20-F for cybersecurity risk management, strategy, and governance.
Commenting on the new rules, SEC Chair Gary Gensler said:
‘Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors.’
‘I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.’
The SEC listed various dates for when these rules come into force but generally, it seems like mid-December is when public companies will have to start reporting any security incidents.
With these new rules in place, it could mean that we hear about our accounts getting compromised much sooner than before. This will allow users to respond to hacks more quickly and get passwords changed across the other services they use if necessary, potentially taking a lot of power away from hackers looking to make money by selling your account information.