Public companies comply with SEC cyber disclosure rules early

Publicly traded companies are complying with the Securities and Exchange Commission’s (SEC) new cyber disclosure rules ahead of their December start date. The rules require companies to disclose material cyber incidents within four business days.

Most public companies don’t need to start reporting material cyber incidents until December 18, but many are already abiding by the rules. For example, Okta reported a security breach last week, and Caesars reported a cyber incident earlier this month.

The early disclosures are giving other businesses a preview of what to expect from regulators, shareholders, and consumers when they report their own cyber incidents.

Under the new rules, companies must disclose a description of the cyber incident, including the date, nature, and scope of the attack, the impact of the incident on the company’s operations and financial condition, and any remedial measures the company has taken or is taking to address the incident in an 8-K filing.

Companies must also disclose more details about their internal cybersecurity programs in annual reports. This includes information about the company’s cybersecurity governance, risk management, and incident response procedures.

The new rules have triggered pushback and anxiety among corporations worried about the implications of public incident disclosures. Some companies are concerned that the SEC will use their 8-K filings to hold them liable for incidents.

Others are unsure how consumers and shareholders will respond to reports of new cyberattacks. However, experts say that companies can mitigate these risks by preparing now. They recommend that organizations conduct tabletop exercises, establish crisis communications plans, and provide cybersecurity training to board members.

They say that companies can determine if a cyberattack will have a material business impact by considering the cost of business interruptions, the cost of ransom payments, and the cost of network security upgrades. However, most 8-K filings don’t stray much from how companies were already publicly discussing incidents. They typically stick to a short statement that says they’re facing an incident and will return with more information at a later date.

The sources for this piece include an article in Axios.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web