The new cybersecurity disclosure requirements mandated by the U.S. SEC has come into effect, requiring companies to disclose cybersecurity incidents, with some exceptions, within four days of their occurrence.
There are two components to the disclosure rules.
- The first is mandatory cybersecurity incident reporting of material incidents. The disclosure of incidents would be via an 8-K form and must be reported within four business days of the incident.
- The second component requires companies to disclose their policies to manage cybersecurity risk, including providing updates on previously reported material cybersecurity incidents.
The requirements include describing the nature and scope of the incident, the impact on the company’s operations, and any remedial actions taken. Organizations must disclose their cybersecurity risk management, strategy, and governance in annual reports.
Companies are required to describe their policies and procedures to identify and manage cybersecurity risks, the role of the board of directors in overseeing these risks, and management’s role in implementing cybersecurity policies and strategies.
But not all cybersecurity incidents will be treated the same. According to guidance issued by the Department of Justice, companies can delay reporting incidents where there could be national security risks.
Potential risks that would allow a company to delay reporting include where the cybersecurity incident is reasonably suspected of having involved a technique for which there is not yet well-known mitigation, an incident that primarily impacted a system that contains sensitive U.S. government information, or when the registrant is conducting remediation for critical infrastructure or critical system and disclosure revealing the registrant is aware of the incident would undermine those efforts.
