The Securities and Exchange Commission has reached the implementation dates for its cyber incident reporting requirements. The rules, which require companies to report ,material cyber attacks within four business days of determination, are leading to significant changes in how companies prepare for and implement cyber risk strategies at the highest levels of publicly traded companies that operate in the U.S.
Companies are required to disclose any material security incident by outlining its nature, scope, the timing of the incident, and its likely impact. Companies must file a Form 8-K, Item 1.05. But, if the U.S. attorney general says immediate disclosure would create substantial national security or public safety risk, companies can delay disclosure.
The standard in determining whether a cyber attack is material as outlined in the rule’s adopting release, is what the Supreme Court has deemed material information: a fact is material if there is a “substantial likelihood that a reasonable investor would consider it important” or if it would have “significantly altered the ‘total mix’ of information made available.”
The SEC is also requiring companies to amend their initial 8-K filings to disclose incident information that was not previously determined or available. The SEC cybersecurity rules are aimed at publicly listed companies, most public companies are reliant on many smaller third-party software and supply chain companies, and a cyberattack at any point along that chain could have a material impact. Such third-party companies — whether public or not — should also know with the new regulations.
Foreign private issuers will use a Form 6-K to detail material cyber incidents they disclose or publicize outside the U.S. to any stock exchange or stockholders.
The SEC puts the onus on companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks.
Jeffrey Newman Esq. represents whistleblowers under the SEC, CFTC and FINCEN whistleblower programs. Whistleblowers providing original information to these agencies through counsel, may receive rewards totaling up to 30 percent of a successful recovery made by the SEC, CFTC OR FINCEN and the names and identification of the whistleblowers are not revealed. These may include whistleblowers who reveal violations of U.S. sanctions. Jeff Newman can be reached at Jeff@Jeffnewmanlaw.com or at 617-823-3217
