The US Securities and Exchange Commission (SEC) has approved new rules that require companies trading in American stock markets to be more transparent and responsible in their approach to cybersecurity. Under these rules, companies will not only be required to report serious cyber attacks, but also to disclose their strategies and measures for protecting against cyber threats.
SEC Chairman Gary Gensler stated that information about cybersecurity is important for investors, as it can impact a company’s financial condition and operational activities. He expressed his hope that the new rules will make this information more accessible, comparable, and useful for decision-making.
According to the new rules, companies must publish a special notification in the form of an 8-K within four business days of discovering a cybersecurity incident that could significantly impact their business or finances. The notification must include key details of the incident, as well as its consequences or potential risks for the company. A new paragraph 1.05 for cybersecurity incidents will be added to the form.
It will only be possible to delay the disclosure of information if the US Attorney General deems that notifying shareholders about the incident would pose a threat to national or public security. The Attorney General must notify the commission in writing of their decision.
In addition, the SEC has introduced a new paragraph 106 in Regulation S-K, which will be included in Form 10-K. This requires companies to provide a description of their actions in assessing, identifying, and managing risks related to cybersecurity threats. Companies must disclose their methods of assessing and managing the risks associated with cyber attacks.
These new rules also apply to foreign private issuers, who will need to make similar disclosures in forms 6-K and 20-F.
The new rules will come into effect 30 days after being published in the federal registry. Disclosures in the form of 10-K and 20-F will be required for financial years ending on or after December 15, 2023. Disclosures in the form of 8-K and 6-K must be provided no earlier than 90 days after the publication date in the Federal Register or by December 18, 2023.