The U.S. Securities and Exchange Commission (SEC) has introduced new rules that require public companies to be more open about cybersecurity incidents and risks. These changes aim to give investors clearer insight into how companies handle cyber threats and to help them evaluate the likelihood of data breaches.
What are the requirements?
- Incident Reporting: One of the key updates is that companies must now report any “material” cybersecurity incident within four business days. That’s a fast turnaround, especially since what counts as “material” can be difficult to define. In general, “material” counts as any incident that could significantly affect a company’s finances or operations. Exceptions to this are if a government agency says the information should stay private for national security reasons - then the company might be able to delay reporting.
- Submission of Annual Reports: Companies also need to share information about their overall approach to cybersecurity once a year. This includes how they manage cybersecurity risks, what processes they follow, and who is has final responsibility for process implementation. They report if the company has faced cyber threats in the past and what they’ve done in response.
These rules are a big shift from the previous landscape. In the past, companies could decide for themselves how much to share and when it came to security reporting. Now, the SEC is setting clear timelines and expectations, with the goal to give investors better tools to understand how prepared a company is when it comes to data breaches or hacking attempts.
What does this mean for businesses?
It means getting organised quickly. Having a plan in place and clear lines of responsibility will be key to staying compliant and protecting both customers and shareholders.
