SEC Now Requires Companies To Disclose Cyberattacks In 4 Days

The U.S. Securities and Exchange Commission (SEC) has implemented new rules requiring publicly traded companies to disclose any cyberattacks considered material incidents within four business days of discovery. BleepingComputer reports: According to the Wall Street watchdog, material incidents are those that a public company's shareholders would consider important "in making an investment decision." The SEC also adopted new regulations mandating foreign private issuers to provide equivalent disclosures following cybersecurity breaches. Listed companies must now include details about the cyberattack (including the incident's nature, scope, and timing) in periodic report filings, specifically on 8-K forms.

These new cybersecurity incident reporting rules are set to take effect in December or 30 days after being published in the Federal Register. However, smaller companies will be granted an additional 180 days before they are required to provide Form 8-K disclosures. In some instances, the disclosure timeline may also be postponed if the U.S. Attorney General determines that an immediate disclosure would pose a significant risk to national security or public safety. "Whether a company loses a factory in a fire -- or millions of files in a cybersecurity incident -- it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors," said SEC Chair Gary Gensler today.

"I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."

Overvaluation creates corrupt wiggle room.

[geekmux]

"Whether a company loses a factory in a fire -- or millions of files in a cybersecurity incident -- it may be material to investors..."

Well, it sure is nice when you have a wicked stock market propping up billions in valuation that is considerably higher than anything a company might be asked to self-define as "material".

Makes it rather easy to ignore the shit out of these non-rules.

Re:

[ls671]

Also they want it reported on 8K forms like if 4K wasn't high resolution enough for everybody to be able to read... /s

Re:

[trexgameaz]

This is a fun game, and if you play it with some pals, you're going to have a great time. One of my very good pals who is currently employed at cookie clicker [cookie-clicker.io] is the one who introduced me to this game, and I've had the opportunity to collaborate with him on quite a few occasions when playing it. It is really incredible!

this is unreasonable

[kalieaire]

because we're under a constant state of cyber attacks, but not only that, breaches that are immediately disclosed means cybercriminals that are operating under the premise that they haven't been discovered yet, will be notified of the fact and cut bait and run. this makes it even harder to track down the cybercriminal and prosecute. a lot of the times, when law enforcement gets involved, they're likewise apprehensive about giving away how much they know to cybercriminals. i can see this type of regulation being unironically in conflict with law enforcement.

Re:

[anoncoward69]

From the summary it sounds like the law already has a provision for witholding disclosure if there is a valid criminal investigation reason to withold. No idea how this would work, but i could see if something like company get breeched, notifies the authorities and files their SEC paperwork within 4 days. If the investigating authorities deem it necessary to withold public disclosure then they notify the SEC and the SEC sits on the information until the investigating authorities give the green light to publ

Re:

[TwistedGreen]

Eventually it will just become background noise. Imagine if a publicly traded company had to disclose every time they "detected" an incident of shoplifting.

Re: this is unreasonable

[jerrylucky]

You shop lift an isolated location no thread towards others or the privacy and identity of others outside the store. Itâ(TM)s not the same as attacking a global organization especially when containing records and activity of other, what should be protected, identities.

Re: this is unreasonable

[Zero__Kelvin]

I recommend you read Clifford Stoll's "The Cuckoos Egg" so you have some idea what you are talking about. Nobody said anything about letting them run amok. There are ways to thwart them without cutting off access.

Re: this is unreasonable

[Zero__Kelvin]

Shut the fuck up you moron. You are so fucking stupid it isn't worth even trying to overcome your willful ignorance

How broad is the definition of cyberattack?

[eadred]

BleepingComputer reports:

I hope BleepingComputer is either resilient to the /. effect or they have their paperwork on standby.

Re:

[TwistedGreen]

Sadly, I don't think there is a Slashdot effect anymore.

Re:

[Mirnotoriety]

> Sadly, I don't think there is a Slashdot effect anymore.

I think it's to do with them using ‘cyber’ in titles /s

overreach

[groobly]

SEC has no business creating such mandates. This is something Congress needs to do. Or not do.

The idea of the SEC is simply to regulate securities markets to ensure a level playing field. Using it to implement general societal policy goals is not in its charter, but typical of the endless overreach of the Biden admin. The same goes for some of the ESG regulation that the SEC is trying to impose. Yes, SEC should be involved in proper governance. But not social engineering.