The US Securities and Exchange Commission (SEC) wants publicly-traded companies to be more upfront about cyber security incidents.
To that end, the regulator has announced a proposed rule that would require prompt and ongoing disclosure of cyber security incidents.
SEC chair Gary Gensler said: “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”
The rule-making is currently open for comment.
“The proposed rules would require current and periodic reporting of material cyber security incidents,” the proposed rule [pdf] states.
“Additionally, we are proposing amendments that would require periodic disclosures
about a registrant’s policies and procedures to identify and manage cyber security risk, including the impact of cyber security risks on the registrant’s business strategy; management’s role and expertise in implementing the registrant’s cyber security policies, procedures, and strategies; and the board of directors’ oversight role, and cyber security expertise, if any”.
The disclosure timeframe proposed by the SEC would send a chill down corporate spines in Australia: the SEC proposes an amendment to Form 8-K “to add Item 1.05 to require registrants to disclose information about a cyber security incident within four business days after the registrant determines that it has experienced a material cyber security incident”.
Forms 10-Q and 10-K would also be amended so that companies would provide updates to security incidents they have already disclosed.
The SEC also wants companies to disclose what cyber security expertise exists on companies’ boards: the rule would “require disclosure about if any member of the registrant’s board of directors has cyber security expertise”.
The Form 8-K disclosure would require companies to report when an incidents was discovered and whether it is ongoing, along with a description of the nature and scope of an incident.
If data was “stolen, altered, accessed, or used for any other unauthorised purpose”, a victim company would have to say so, along with “the effect of the incident on the registrant’s operations”, and whether an incident has been or is being remediated.
Last November, US banks became subject to a rule requiring disclosure within 36 hours of discovering a cyber security incident.