The Security & Exchange Commission’s new cyber attack rules require companies to report the attack within four business days of deciding whether they are “material” to shareholders. The SEC used to require firms to disclose major events that would be of shareholder interest, but didn’t specify cyber events.
US officials, said the new rules will boost visibility into cyberattacks, which are widely underreported.
Under the new rules, public companies have to report on the impact of a material hack, including what data was publicly disclosed and the processes the company took to mitigate risk. They also must disclose how they manage cybersecurity risks in annual reports.
The requirements take hold after a few years in which cyberattacks temporarily disrupted crucial sectors of the economy, including meat production, shipping and Treasury trades. Often, hackers demand money from the victims to unlock computer systems that are encrypted with ransomware or demand an extortion payment not to release stolen company documents.
An exemption to the rule allows the Attorney General to delay a company’s disclosure by up to 120 days on account of national security or public safety. Senior Justice Department and FBI officials told reporters that companies that think they may be eligible should apply as soon as they decide the incident is material or even before. The exemption will apply only rarely, officials said.
JEFFREY NEWMAN AND HIS LAWFIRM REPRESENT WHISTLEBLOWERS UNDER THE SEC, CFTC AND FINCEN WHISTLEBLOWER PROGRAMS. whistleblowers who provide original information to these agencies through counsel, may receive rewards totaling up to 30 percent of any successful recovery made by the SEC, CFTC OR FINCEN and the names and identification of the whistleblowers are not revealed. Jeff Newman can be reached at Jeff@Jeffnewmanlaw.com or at 617-823-3217
