Public companies comply with SEC cyber disclosure rules early

Share post:

Publicly traded companies are complying with the Securities and Exchange Commission’s (SEC) new cyber disclosure rules ahead of their December start date. The rules require companies to disclose material cyber incidents within four business days.

Most public companies don’t need to start reporting material cyber incidents until December 18, but many are already abiding by the rules. For example, Okta reported a security breach last week, and Caesars reported a cyber incident earlier this month.

The early disclosures are giving other businesses a preview of what to expect from regulators, shareholders, and consumers when they report their own cyber incidents.

Under the new rules, companies must disclose a description of the cyber incident, including the date, nature, and scope of the attack, the impact of the incident on the company’s operations and financial condition, and any remedial measures the company has taken or is taking to address the incident in an 8-K filing.

Companies must also disclose more details about their internal cybersecurity programs in annual reports. This includes information about the company’s cybersecurity governance, risk management, and incident response procedures.

The new rules have triggered pushback and anxiety among corporations worried about the implications of public incident disclosures. Some companies are concerned that the SEC will use their 8-K filings to hold them liable for incidents.

Others are unsure how consumers and shareholders will respond to reports of new cyberattacks. However, experts say that companies can mitigate these risks by preparing now. They recommend that organizations conduct tabletop exercises, establish crisis communications plans, and provide cybersecurity training to board members.

They say that companies can determine if a cyberattack will have a material business impact by considering the cost of business interruptions, the cost of ransom payments, and the cost of network security upgrades. However, most 8-K filings don’t stray much from how companies were already publicly discussing incidents. They typically stick to a short statement that says they’re facing an incident and will return with more information at a later date.

The sources for this piece include an article in Axios.

Featured Tech Jobs


Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways