From December 18, 2023, publicly owned companies in the U.S. must comply with a new set of rules by the SEC requiring them to disclose “material” cyber incidents within 96 hours. Many organizations have argued that the new rules open them up to more risk and that four days to report to the SEC in a specific line item on a Form 8-K report is not enough time to confirm a breach. Another new line item called Item 106 to the Regulation S-K that will be included on a company’s annual Form 10-K filing will require businesses to describe their process “for assessing, identifying, and managing material risks from cybersecurity threats.”

In an 8-K filing, breached organizations must describe the incident’s nature, scope, timing, and material impact, including financial and operational. The SEC says the disclosure can be delayed if the U.S. attorney general determines that alerting shareholders to the incident “would pose a substantial risk to national security or public safety.” Smaller companies with a public float of less than $250 million or less than $100 million in annual revenues will get a 180-day extension before having to file their Form 8-K disclosing an incident.

The SEC believes that the rules are intended to increase visibility into cybersecurity governance and provide disclosure in a more “consistent, comparable and decision-useful way” that will benefit investors and companies alike.

The SEC will enforce this rule with potential consequences which include financial penalties, legal liabilities, reputational damage, loss of investor confidence and regulatory scrutiny to those organizations who do not comply. Read more about this story on our LinkedIn page