October 30, 2023
Publicly traded companies are complying with the Securities and Exchange Commission’s (SEC) new cyber disclosure rules ahead of their December start date. The rules require companies to disclose material cyber incidents within four business days.
Most public companies don’t need to start reporting material cyber incidents until December 18, but many are already abiding by the rules. For example, Okta reported a security breach last week, and Caesars reported a cyber incident earlier this month.
The early disclosures are giving other businesses a preview of what to expect from regulators, shareholders, and consumers when they report their own cyber incidents.
Under the new rules, companies must disclose a description of the cyber incident, including the date, nature, and scope of the attack, the impact of the incident on the company’s operations and financial condition, and any remedial measures the company has taken or is taking to address the incident in an 8-K filing.
Companies must also disclose more details about their internal cybersecurity programs in annual reports. This includes information about the company’s cybersecurity governance, risk management, and incident response procedures.
The new rules have triggered pushback and anxiety among corporations worried about the implications of public incident disclosures. Some companies are concerned that the SEC will use their 8-K filings to hold them liable for incidents.
Others are unsure how consumers and shareholders will respond to reports of new cyberattacks. However, experts say that companies can mitigate these risks by preparing now. They recommend that organizations conduct tabletop exercises, establish crisis communications plans, and provide cybersecurity training to board members.
They say that companies can determine if a cyberattack will have a material business impact by considering the cost of business interruptions, the cost of ransom payments, and the cost of network security upgrades. However, most 8-K filings don’t stray much from how companies were already publicly discussing incidents. They typically stick to a short statement that says they’re facing an incident and will return with more information at a later date.
The sources for this piece include an article in Axios.
