SEC Adopts Rule Requiring Companies to Disclose Cyber Incidents

The Securities and Exchange Commission (SEC) adopted a rule this week that will require publicly traded companies to report significant cyber incidents that are “material” to investors.

Companies will have four business days to report to the agency from the time they determine that the incident was material. Under the new rule, companies will have to disclose the incident’s nature, scope, timing and impact. Companies will also have to explain the processes they have in place to assess, identify and manage risks from cyber threats.

Last year, Congress passed a legislation that would require companies in critical sectors to report substantial cyberattacks within 72 hours and ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency.