SEC Plan Would Require Report of Cyberattacks Within Four Days

“Cybersecurity incidents, unfortunately, happen a lot,” SEC Chairman Gary Gensler said in prepared remarks, noting that successful attacks affect companies’ finances, operations and reputations. “Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.” Mr. Gensler was nominated by President Biden.

Companies have long been required to tell the market about risks and incidents they deem to be material to investors, and the SEC has reminded them in recent years to do so in a timely fashion with regards to cybersecurity. But agency officials say companies’ disclosure of such information has been inconsistent.

An analysis of 2018 regulatory filings by former Democratic SEC commissioner Robert Jackson found that some 90% of known cyber incidents at public companies went undisclosed.

Wednesday’s proposed rules would be more prescriptive, officials said.

In addition to reporting major cybersecurity events within four days after uncovering them, companies would be required to provide periodic updates about previous incidents. They would also have to report when “a series of previously undisclosed, individually immaterial cybersecurity events has become material in the aggregate.”

Annual reports would also have to outline a firm’s policies for identifying and managing cybersecurity risks, and say whether any member of its board of directors has expertise in cybersecurity.

The SEC will solicit comments on the proposal for at least 60 days before deciding whether to issue a final rule.

Write to Paul Kiernan at [email protected]