From The Verge: Public companies will now have to disclose cybersecurity incidents sooner, thanks to a rule adopted by the Securities and Exchange Commission. Under the new policy, the SEC will require public companies to report data breaches and hacks four business days after they are discovered.
Companies will have to disclose any cybersecurity incidents on a Form 8-K filing. These publicly available documents typically inform shareholders about major changes to the company — and now they’ll include a new Item 1.05 for cybersecurity incidents. The disclosure should include information on “nature, scope, and timing,” as well as “its material impact or reasonably likely” on the company.
There is an exception to the four-day disclosure requirement, however. The SEC says that the disclosure can be delayed if the US attorney general determines that alerting shareholders to the incident “would pose a substantial risk to national security or public safety.”
View: Full Article