SEC plans four-day cybersecurity breach notification requirement

The US Securities and Exchange Commission today proposed legal changes that would require publicly traded companies to disclose material cybersecurity incidents within four days of such a breach.

The SEC also wants to require “periodic disclosures” of the impact of ongoing cybersecurity threats in regularly scheduled quarterly 10-Q and annual 10-K reports filed by publicly traded firms, further increasing the mandate for transparency on cybersecurity issues. The more immediate reports disclosing security incidents would be filed in 8-K forms, used for unscheduled disclosures.

The idea is to protect investors by improving their ability to inform themselves about the risks involved in investing in a given company, according to the SEC. Given the severity of the threat posed by bad cybersecurity actors, a breach could have a huge impact on a company’s stock value and line of business, the commission said in a statement.

“Across industries, companies increasingly rely on information technology, collection of data, and use of digital payments as critical components of their business model and strategy,” the SEC said. “Their exposure to cybersecurity risks and previous cybersecurity incidents may affect these critical components, informing changes in their business model, financial condition, financial planning, and allocation of capital.”

It’s a change that appears to have been in the works for some time. SEC chairman Gary Gensler told a conference on securities law in January that his agency wanted to strengthen regulations around cybersecurity, and outlined a multipart plan to do so, touching on consumer information protection, requirements for stronger security measures in the financial sector, and updates to existing regulations designed to incentivize large organizations to improve their technological security programs.

Staff guidance issued as far back as 2011 gave a good indication of the SEC’s interest in cybersecurity matters, staking out the agency’s position that cybersecurity incidents and risks are matters that responsible companies need to disclose. That guidance quickly bore fruit, prompting many large publicly traded firms to begin making those disclosures on their 8-K forms, and the SEC has even sanctioned companies with multimillion-dollar fines for failing to disclose important security incidents.

This week’s proposals by the SEC included a request for comment from industry stakeholders — comments are due either 30 days after first publication of the proposal in the Federal Register or May 9, whichever is later. An online form for providing comments can be accessed here.