SEC proposes four-day rule for public companies to report cyberattacks

A new rule proposed by the US Securities and Exchange Commission (SEC) would force public companies to disclose cyberattacks within four days along with periodic reports about their cyber-risk management plans.

Specifically, the proposed rule would amend the Form 8-K reporting requirements to include cybersecurity incident disclosure "within four business days after the registrant determines that it has experienced a material cybersecurity incident." The 8-K is the form that the SEC requires public companies file to publicly announce corporate changes or big events that may be material to shareholders. 

It would also amend the quarterly 10-Q and annual 10-K reporting requirements with mandates that corporations provide updates about previously undisclosed incidents after a series of them "become material in the aggregate," along with information about policies and procedures, if they have any, for managing cyber risk and cybersecurity governance.

This includes the board of directors' oversight, details about any board members' cybersecurity expertise, and management's role and experience handling cyber risks and implementing cybersecurity policies, procedures, and strategies.

"Today, cybersecurity is an emerging risk with which public issuers increasingly must contend," SEC Chair Gary Gensler said in a statement. "Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner."

The proposed SEC rule comes as similar cyber reporting mandates are finally picking up steam with more members of the US Congress.

Earlier this month, the US Senate unanimously passed the Strengthening American Cybersecurity Act of 2022. It would, among other things, require critical infrastructure operators and federal agencies to report cyberattacks and ransomware payments. The proposed law now heads to the House for a vote.

These types of breach reporting mandates aren't new ideas. Some lawmakers, members of the Biden administration, and private-sector security analysts have been pushing for more robust cyberattack reporting rules since last year's high-profile ransomware attacks against Colonial Pipeline, meat processor JBS, and Kaseya, among others. 

• Russia's invasion kicks Senate into cybersecurity law mode
• Where are the (serious) Russian cyberattacks?
• Ragnar ransomware gang hit 52 critical US orgs, says FBI
• UN mulls Russia's pitch for cybercrime treaty

However Russia's invasion of Ukraine and the threat of potential cyberattacks against the West in retaliation for sanctions have given these proposed laws a new sense of urgency. CISA recently updated guidance to US businesses about potential threats from Russia.

While the federal agency hasn't seen any specific cyber threats, "every organization — large and small — must be prepared to respond to disruptive cyber activity," CISA warned. ®