Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Businesses Security

SEC Now Requires Companies To Disclose Cyberattacks In 4 Days (bleepingcomputer.com) 17

The U.S. Securities and Exchange Commission (SEC) has implemented new rules requiring publicly traded companies to disclose any cyberattacks considered material incidents within four business days of discovery. BleepingComputer reports: According to the Wall Street watchdog, material incidents are those that a public company's shareholders would consider important "in making an investment decision." The SEC also adopted new regulations mandating foreign private issuers to provide equivalent disclosures following cybersecurity breaches. Listed companies must now include details about the cyberattack (including the incident's nature, scope, and timing) in periodic report filings, specifically on 8-K forms.

These new cybersecurity incident reporting rules are set to take effect in December or 30 days after being published in the Federal Register. However, smaller companies will be granted an additional 180 days before they are required to provide Form 8-K disclosures. In some instances, the disclosure timeline may also be postponed if the U.S. Attorney General determines that an immediate disclosure would pose a significant risk to national security or public safety.
"Whether a company loses a factory in a fire -- or millions of files in a cybersecurity incident -- it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors," said SEC Chair Gary Gensler today.

"I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."
This discussion has been archived. No new comments can be posted.

SEC Now Requires Companies To Disclose Cyberattacks In 4 Days

Comments Filter:
  • "Whether a company loses a factory in a fire -- or millions of files in a cybersecurity incident -- it may be material to investors..."

    Well, it sure is nice when you have a wicked stock market propping up billions in valuation that is considerably higher than anything a company might be asked to self-define as "material".

    Makes it rather easy to ignore the shit out of these non-rules.

    • by ls671 ( 1122017 )

      Also they want it reported on 8K forms like if 4K wasn't high resolution enough for everybody to be able to read... /s

    • This is a fun game, and if you play it with some pals, you're going to have a great time. One of my very good pals who is currently employed at cookie clicker [cookie-clicker.io] is the one who introduced me to this game, and I've had the opportunity to collaborate with him on quite a few occasions when playing it. It is really incredible!
  • by kalieaire ( 586092 ) on Thursday July 27, 2023 @07:45PM (#63719996)

    because we're under a constant state of cyber attacks, but not only that, breaches that are immediately disclosed means cybercriminals that are operating under the premise that they haven't been discovered yet, will be notified of the fact and cut bait and run. this makes it even harder to track down the cybercriminal and prosecute. a lot of the times, when law enforcement gets involved, they're likewise apprehensive about giving away how much they know to cybercriminals. i can see this type of regulation being unironically in conflict with law enforcement.

    • From the summary it sounds like the law already has a provision for witholding disclosure if there is a valid criminal investigation reason to withold. No idea how this would work, but i could see if something like company get breeched, notifies the authorities and files their SEC paperwork within 4 days. If the investigating authorities deem it necessary to withold public disclosure then they notify the SEC and the SEC sits on the information until the investigating authorities give the green light to publ
    • Eventually it will just become background noise. Imagine if a publicly traded company had to disclose every time they "detected" an incident of shoplifting.

      • You shop lift an isolated location no thread towards others or the privacy and identity of others outside the store. Itâ(TM)s not the same as attacking a global organization especially when containing records and activity of other, what should be protected, identities.
  • BleepingComputer reports:

    I hope BleepingComputer is either resilient to the /. effect or they have their paperwork on standby.

  • SEC has no business creating such mandates. This is something Congress needs to do. Or not do.

    The idea of the SEC is simply to regulate securities markets to ensure a level playing field. Using it to implement general societal policy goals is not in its charter, but typical of the endless overreach of the Biden admin. The same goes for some of the ESG regulation that the SEC is trying to impose. Yes, SEC should be involved in proper governance. But not social engineering.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...