Bloomberg Law
Free Newsletter Sign Up
Login
BROWSE
Bloomberg Law
Welcome
Login
Advanced Search Go
Free Newsletter Sign Up

SEC Weighs 4-Day Deadline for Companies to Disclose Hacks (1)

March 9, 2022, 3:54 PM

Companies would face more pressure to alert the public of hacks or other significant cybersecurity incidents under a new plan from the U.S. Securities and Exchange Commission.

The SEC on Wednesday proposed requiring publicly-traded firms to disclose breaches within four days. The demands would apply to incidents that are considered “material,” or important to the average investor.

The plan, which was supported by the commission’s three Democrats, is the latest move by Wall Street’s main regulator to prod companies to be more transparent when attacks occur after years of high-profile incidents. Last month, the SEC proposed requiring investment companies to bolster their cybersecurity systems.

Read more: SEC’s Gensler Signals More Cybersecurity Rules Are Coming

“Cybersecurity incidents, unfortunately, happen a lot,” SEC Chair Gary Gensler said in a statement. “A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”

Firms currently rely on 2018 SEC guidance to determine when to disclose incidents, which does not specify a time-frame for notifying the public.

Hester Peirce, the SEC’s only Republican, opposed the plan, citing concerns that it’d force the regulator to take on too big of a role in regulating computer security and was too prescriptive for companies.

In addition to the requirements that publicly-traded firms disclose a major incident, the SEC’s plan would also:

  • Require companies to report information about how they manage cyber risks in their annual reports
  • Amend the form that companies use to report significant news to be useful for disclosing hacks

The proposal will now be subject to public comment, and the SEC would have to hold another vote months later to finalize the rules after taking into account those responses.

(Updates with vote, commissioner’s comments starting in second paragraph.)

To contact the reporter on this story:
Ben Bain in Washington at bbain2@bloomberg.net

To contact the editors responsible for this story:
Jesse Westbrook at jwestbrook1@bloomberg.net

Elizabeth Dexheimer

© 2022 Bloomberg L.P. All rights reserved. Used with permission.