Companies would face more pressure to alert the public of hacks or other significant cybersecurity incidents under a new plan from the
The SEC on Wednesday proposed requiring publicly-traded firms to disclose breaches within four days. The demands would apply to incidents that are considered “material,” or important to the average investor.
The plan, which was supported by the commission’s three Democrats, is the latest move by Wall Street’s main regulator to prod companies to be more transparent when attacks occur after years of high-profile incidents. Last month, the SEC proposed requiring investment companies to bolster their cybersecurity systems.
“Cybersecurity incidents, unfortunately, happen a lot,” SEC Chair
Firms currently rely on 2018 SEC guidance to determine when to disclose incidents, which does not specify a time-frame for notifying the public.
In addition to the requirements that publicly-traded firms disclose a major incident, the SEC’s plan would also:
- Require companies to report information about how they manage cyber risks in their annual reports
- Amend the form that companies use to report significant news to be useful for disclosing hacks
The proposal will now be subject to public comment, and the SEC would have to hold another vote months later to finalize the rules after taking into account those responses.
(Updates with vote, commissioner’s comments starting in second paragraph.)
To contact the reporter on this story:
To contact the editors responsible for this story:
Elizabeth Dexheimer
© 2022 Bloomberg L.P. All rights reserved. Used with permission.
To read more articles log in.
Learn more about a Bloomberg Law subscription.