New "Disclose within 4 days" rule if a company is cyber-attacked.
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) announced the adoption of a new rule requiring companies to disclose within four business days any cyberattack that is deemed a material incident. This new rule is expected to provide greater protection for investors.
The SEC announced on July 26 that it will "require registered companies to disclose any significant cybersecurity incidents they encounter and to annually disclose material information about their cybersecurity risk management, strategy, and governance.
U.S. public companies are already required to disclose extraordinary events, such as acquisitions, changes in board members, acquisitions or sales of material assets, and bankruptcies, in a special report called a Form 8-K.The revised regulations add a new section to the Form 8-K to disclose cybersecurity incidents that are deemed material, which will require a description of the nature, scope, and timing of the incident and the significant impact it will have.
Filings are generally due within four business days, but disclosure may be delayed if it is determined by the Attorney General that "immediate disclosure would pose a significant risk to national security or public safety," SEC Chairman Gary Gensler said in the announcement, lose millions of files in a cybersecurity incident, it is likely to be important to investors.
Many publicly traded companies still disclose cybersecurity information to investors, but it would benefit both investors and companies if this information were done in a more uniform, comparable, and decision-useful manner.The new rules also include an annual report, Form 10-K, that describes the company's process for assessing, identifying, and managing significant risks from cybersecurity threats, the impact of risks from past cybersecurity incidents, and the management team that makes these decisions.
The new rule provides background on the enactment of this rule. The background for this new rule is the so-called supply chain hacking incident perpetrated by Russian cybercriminals against the widely used file transfer program MOVEit. Many organizations suffered major data breaches in this incident, but disclosure has been slow and it has taken time to get a full picture.Leslie
Ritter, Senior Vice President at Moody's Investors Service, a credit rating agency, commented, "This rule could bring transparency to an opaque and growing risk and spur improved cyber defense. She also commented that the rule "could bring transparency to an increasingly opaque and growing risk and spur improved cyber defense.
Amit Yoran, CEO of cybersecurity firm Tenable, also commented, "For a long time, large American companies have viewed cybersecurity as a 'nice to have' rather than a 'must have. Today, however, it is very clear that corporate leaders must strengthen cybersecurity within their organizations," he said, welcoming the new rules.
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) announced the adoption of a new rule requiring companies to disclose within four business days any cyberattack that is deemed a material incident. This new rule is expected to provide greater protection for investors.
The SEC announced on July 26 that it will "require registered companies to disclose any significant cybersecurity incidents they encounter and to annually disclose material information about their cybersecurity risk management, strategy, and governance. U.S. public companies are already required to disclose extraordinary events, such as acquisitions, changes in board members, acquisitions or sales of material assets, and bankruptcies, in a special report called a Form 8-K.
The revised regulations add a new section to the Form 8-K to disclose cybersecurity incidents that are deemed material, which will require a description of the nature, scope, and timing of the incident and the significant impact it will have. Filings are generally due within four business days, but disclosure may be delayed if it is determined by the Attorney General that "immediate disclosure would pose a significant risk to national security or public safety," SEC Chairman Gary Gensler said in the announcement, lose millions of files in a cybersecurity incident, it is likely to be important to investors. Many publicly traded companies still disclose cybersecurity information to investors, but it would benefit both investors and companies if this information were done in a more uniform, comparable, and decision-useful manner.
The new rules also include an annual report, Form 10-K, that describes the company's process for assessing, identifying, and managing significant risks from cybersecurity threats, the impact of risks from past cybersecurity incidents, and the management team that makes these decisions. The new rule provides background on the enactment of this rule. The background for this new rule is the so-called supply chain hacking incident perpetrated by Russian cybercriminals against the widely used file transfer program MOVEit. Many organizations suffered major data breaches in this incident, but disclosure has been slow and it has taken time to get a full picture.
Leslie Ritter, Senior Vice President at Moody's Investors Service, a credit rating agency, commented, "This rule could bring transparency to an opaque and growing risk and spur improved cyber defense. She also commented that the rule "could bring transparency to an increasingly opaque and growing risk and spur improved cyber defense. Amit Yoran, CEO of cybersecurity firm Tenable, also commented, "For a long time, large American companies have viewed cybersecurity as a 'nice to have' rather than a 'must have. Today, however, it is very clear that corporate leaders must strengthen cybersecurity within their organizations," he said, welcoming the new rules.
On the other hand, Republican Hester Pearce, a member of the opposition, said in a statement that "the new rules exceed the SEC's authority and seem to fit the needs of aspiring hackers more than the needs of investors seeking financially material information," and expressed concern that excessive disclosure of security systems could make companies more susceptible to cyber attacks. He expressed concern that excessive disclosure of security systems may make companies more vulnerable to cyber-attacks.
In Japan, reporting of personal information leaks is mandatory, and when personal information is leaked from a company that has been subjected to unauthorized access or other cyber attacks, the company is required to notify the victims and the relevant authorities. However, reporting cybersecurity incidents that do not involve personal information and disclosing information on cybersecurity to investors are not mandated.
If a similar regulation is enacted in Japan, it will have a significant impact because it will no longer be an effort requirement. In contrast to U.S. companies, which have their own IT staff and develop and operate software in-house, Japanese companies tend to outsource important software to vendors and do not have their own IT staff, making it difficult to respond. The competition for IT personnel, especially security personnel, is likely to intensify.
According to an announcement by the U.S. Securities and Exchange Commission (SEC):
SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
https://www.sec.gov/news/press-release/2023-139