New data breach reporting rule amendments have been proposed by the U.S. Securities and Exchange Commission (SEC) that require all publicly traded companies to report a material cybersecurity incident within 4 business days of discovery that a material cybersecurity incident has occurred.
A material cybersecurity incident is any cybersecurity incident that shareholders would likely consider important. There are existing state and federal laws that require companies to disclose data breaches; however, laws often state that breaches should be reported without unnecessary delay or require them to be reported within several weeks of discovery. In some cases, breaches only need to be reported if personal data was stolen in the attack and it is largely left to companies to decide when to report breaches, even if they have the potential to impact share prices or mergers and acquisitions.
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.”
Gensler said he believes that companies and investors alike would benefit from rule changes that require disclosures of cybersecurity incidents to be made “in a consistent, comparable, and decision-useful manner.” Gensler said the change would “strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
When a material cybersecurity incident occurs, publicly traded companies will be required to disclose when the incident was discovered, if the incident is ongoing, provide a description of the nature of the incident, its scope, whether any data was stolen in the incident, if data has been accessed or used for unauthorized purposes – if known – how the incident is expected to affect operations, and whether the breach has been remediated or is in the process of being remediated.
The rule changes would also require periodic reporting to provide updates on previously reported cybersecurity incidents, the policies and procedures that have been implemented to identify and manage cybersecurity risks, the oversight of cybersecurity risks by the board of directors, and annual reporting or proxy disclosures about the cybersecurity expertise of the board of directors.
The SEC will publish the proposed rule changes on the SEC.gov website and in the Federal Register, and comments will be accepted for 60 days from the date of publication on the website and for 30 days following publication in the Federal Register, whichever is longer.