The US Securities and Exchange Commission has proposed a new rule forcing public companies to disclose any “material cybersecurity” incidents within four days and then provide periodic reports about their risk management plans.
The proposed rule would change Form 8-K reporting requirements. Form 8-K is what SEC requires companies to file when announcing corporate changes or any other events that might be important to shareholders. The quarterly 10-Q and annual 10-K forms will also be amended with mandates forcing corporates to report any undisclosed incidents along with policies and procedures for managing cyber risks.
According to the SEC’s press release, “The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents”.
Forced disclosure that might plummet stocks
Under this new rule, companies will have to provide information, including the board of directors’ oversight, details about any board members’ cybersecurity expertise, management’s role and experience in assessing and handling the risk at hand and implementing new cybersecurity policies and procedures.
The proposing release will be published on the SEC’s website and in the Federal Register, with the comment period being open for 60 days following the publication on the SEC website or 30 days following the publication of the proposed release on the Federal Register — whichever period is longer.
This proposed new rule comes when similar cybersecurity reporting mandates are picking up the heat with an increasing number of members of the US Congress.
The US Senate also unanimously passed the Strengthening of American Cybersecurity Act of 2022 earlier this week. The proposed law requires critical infrastructure operators and federal agencies to report cyberattacks and ransomware payments alike.
These new rules are important as the US sees an increasing number of cyberattacks. Additionally, due to the Russia-Ukraine conflict, the CISA has also recently updated its guidance to US businesses about potential Russian threats asking that organisations, whether small or large be prepared to “respond to disruptive cyber activity”.