New SEC Regulations Mandate U.S. Companies Disclose Cyber Attacks Within 4 Days The U.S. Securities and Exchange Commission (SEC) recently approved regulations requiring publicly traded companies to disclose details about cyber attacks within four days of determining that the incident has a “material” impact on their financials. This marks a significant change in the way data breaches are reported. SEC Chair Gary Gensler stated, “Whether a company loses a factory in a fire or millions of files in a cybersecurity incident, it may be material to investors.” He emphasized that while many public companies currently offer cybersecurity disclosures, there would be greater benefits from a more consistent, comparable, and useful approach. The new rules stipulate that companies must share information regarding the incident’s nature, scope, and timing, along with its financial impact. However, companies may request a postponement of up to 60 days for such disclosures if it is deemed necessary.
New SEC Regulations Mandate Prompt Disclosure of Cyber Incidents by Public Companies On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) enacted new regulations requiring publicly traded companies to disclose significant cyber attacks within four days of recognizing…