Public companies comply with SEC cyber disclosure rules early

Share post:

Publicly traded companies are complying with the Securities and Exchange Commission’s (SEC) new cyber disclosure rules ahead of their December start date. The rules require companies to disclose material cyber incidents within four business days.

Most public companies don’t need to start reporting material cyber incidents until December 18, but many are already abiding by the rules. For example, Okta reported a security breach last week, and Caesars reported a cyber incident earlier this month.

The early disclosures are giving other businesses a preview of what to expect from regulators, shareholders, and consumers when they report their own cyber incidents.

Under the new rules, companies must disclose a description of the cyber incident, including the date, nature, and scope of the attack, the impact of the incident on the company’s operations and financial condition, and any remedial measures the company has taken or is taking to address the incident in an 8-K filing.

Companies must also disclose more details about their internal cybersecurity programs in annual reports. This includes information about the company’s cybersecurity governance, risk management, and incident response procedures.

The new rules have triggered pushback and anxiety among corporations worried about the implications of public incident disclosures. Some companies are concerned that the SEC will use their 8-K filings to hold them liable for incidents.

Others are unsure how consumers and shareholders will respond to reports of new cyberattacks. However, experts say that companies can mitigate these risks by preparing now. They recommend that organizations conduct tabletop exercises, establish crisis communications plans, and provide cybersecurity training to board members.

They say that companies can determine if a cyberattack will have a material business impact by considering the cost of business interruptions, the cost of ransom payments, and the cost of network security upgrades. However, most 8-K filings don’t stray much from how companies were already publicly discussing incidents. They typically stick to a short statement that says they’re facing an incident and will return with more information at a later date.

The sources for this piece include an article in Axios.

SUBSCRIBE NOW

Related articles

Russian State-Backed Cyber Attack Exploits Zero-Day Vulnerabilities in Windows and Firefox

Headline: A sophisticated cyberattack leveraging two chained zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows has been confirmed by...

Starbucks Forced to Pay Baristas Manually After Ransomware Attack

A ransomware attack on Blue Yonder, a third-party scheduling software provider, has disrupted Starbucks’ ability to manage employee...

Google Launches Free Cybersecurity Certificate for Entry-Level Jobs

Google has introduced a new Cybersecurity Professional Certificate, aimed at preparing students for entry-level roles in just six...

Critical Vulnerability Leaves Millions Of Sites Vulnerable To Takeover

A severe authentication bypass vulnerability has been discovered in the WordPress plugin "Really Simple Security" (formerly *Really Simple...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways