Skip to content

The Impact of New SEC Cyberattack Disclosure Rules

Introduction: Embracing Transparency in Cybersecurity

In a significant shift towards cybersecurity transparency, the U.S. Securities and Exchange Commission (SEC) has ushered in new rules mandating publicly traded companies to disclose cyberattacks within four business days after identifying them as material incidents. This decree sets a precedent that I believe other nations and regulatory bodies around the world may soon emulate, particularly those in jurisdictions where cybercrime is increasingly impacting business operations and investor confidence.

Understanding the New SEC Cybersecurity Rules

The SEC has defined ‘material incidents’ as those which shareholders of public companies consider crucial to their investment decisions. The rules also extend to foreign private issuers, necessitating equivalent disclosures following cybersecurity breaches.

In essence, if a company’s operations were hindered due to a factory fire or it lost millions of files in a cyberattack, both situations might hold material importance for investors. At present, a sizable number of public companies do deliver cybersecurity disclosures to their investors, as noted by SEC Chair Gary Gensler.

The Shift to Consistency in Cybersecurity Disclosures

According to SEC Chair Gary Gensler, the primary intent behind these rules is to foster a more consistent, comparable, and decision-useful disclosure system. As such, crucial cybersecurity information will benefit not just investors, but also the companies involved, and the broader markets.

Implementation Timeline and Exemptions

From December, or 30 days after publication in the Federal Register, listed companies will be mandated to include detailed information about cyberattacks in their periodic report filings. While smaller companies have been granted a 180-day grace period, the U.S. Attorney General also holds the power to defer the disclosure timeline under certain circumstances.

The Global Impact and Future of Cybersecurity Transparency

The SEC’s move is likely to stimulate other nations and regulatory bodies to consider similar regulations, particularly in regions where cybercrime significantly impacts business operations and investor confidence. This shift towards transparency is a positive development for all stakeholders, encouraging enhanced cybersecurity measures and fostering trust. Increased visibility and awareness of cyber threats can only lead to a more robust emphasis on security. By shedding light on these once hidden issues, we are acknowledging the magnitude of the problem and compelling companies to enhance their cybersecurity measures. Consequently, this leads to better protections for businesses, their investors, and, importantly, the privacy and security of the individuals who use their services.

Conclusion: Towards a Safer Cyber Landscape

The SEC’s new regulations symbolise an essential step towards transparency and accountability in dealing with cyber threats. While challenges are inevitable, this journey is integral to ensuring the safety and security of the global business landscape.


If you need help or advice related to this topic please get in touch with us here