SEC Mandates Swift Disclosure of Major Cyber Incidents
A new ruling announced by The Securities and Exchange Commission recently will require publicly traded companies to disclose major cyber incidents like data breaches or ransomware attacks within four business days of determining the incident "material" for its shareholders. The ruling also requires that information about companies' management and strategy around cybersecurity risk is disclosed annually, as well as information about the role of its board in overseeing cybersecurity threats.
The final rule document states that shareholders in public companies need more timely and consistent cybersecurity disclosure in order to make informed investment decisions. From an investor's perspective, knowing if a company has suffered a data breach or cyber attack is along the same lines as knowing if a company burned down due to fire.
Unprecedented SEC Rules Strengthen Cybersecurity Oversight
These rules are the most comprehensive cybersecurity regulations ever seen in the U.S. While some industries already have stringent government cyber requirements, the SEC's oversight ensures that these rules reach a wider scope.
When Will This Ruling Take Effect?
The rules will take effect 30 days after they are published in the Federal Register. At the time of this writing, the SEC doesn’t have an expected publication date for the rules.
Whether your business is publicly traded or private, your cyber incident monitoring detection, response, and reporting procedures are not something to put on the back burner. It's also a very good time to reassess your business security measures to make sure your business is staying up to date on the latest technologies available for cyber incident detection and response. Request a consultation today.