Sign In

Communications of the ACM

ACM News

The SEC is Giving Companies Four Days to Report Cyberattacks

View as: Print Mobile App Share:
Artist's impression of a hacker at work.

"Cybersecurity intrusions can go beyond the loss of sensitive information and related remediation...they can alter the normal course operations of complex, capital- and infrastructure-intensive businesses," said SEC Commissioner Caroline A Crenshaw.

Credit: Kacper Pempel/Reuters

The U.S. Securities and Exchange Commission (SEC) wants public companies to be more transparent and forthcoming about "material cybersecurity incidents," the federal agency said yesterday (July 26).

Its new rules, passed by a 3-2 vote, dictate companies must disclose details of incidents and their effect on the bottomline in a section of the Form 8-K, a broad form companies use to notify shareholders of major events, within four days of a cybersecurity event.

A delay in filing will only be allowed if the .S. Attorney General determines that "immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing," the SEC said.

Final rules, which will be signed into the Federal Register later this year, will apply to big companies within 30 days. Smaller companies will be given a more generous deadline—180 days—to comply.

From Quartz
View Full Article



No entries found