The Securities and Exchange Commission (SEC) plans to implement final rules mandating public companies to disclose significant cybersecurity attacks to the public. This development will be discussed at a meeting scheduled for Wednesday.
Under these rules, companies will be required to assess whether a cyber attack they have experienced will have a substantial impact on their operations. If a material impact is determined, the company must disclose the incident within four days.
Additionally, public companies will need to provide information about the processes they have in place to effectively manage the risks associated with cyber security threats.
The SEC's interest in cyber attacks stems from several high-profile corporate hacks in recent years. One notable example is the 2020 Solar Winds attack, which went undetected for months and posed a threat to 18,000 companies and government agencies. Another example is the 2021 Colonial Pipeline hack, which resulted in widespread gasoline shortages across the U.S. Northeast region.
These incidents prompted lawmakers to pass legislation last year that requires companies to report specific cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Homeland Security (DHS). However, it is important to note that unlike the disclosures required by the SEC, this information is not accessible to the general public.
If approved, the new rule will come into effect 30 days after its publication in the Federal Register.