SEC to Wall Street: Security incidents need disclosure

By on
SEC to Wall Street: Security incidents need disclosure

Companies should go public four days from incident discovery.

The US Securities and Exchange Commission (SEC) wants publicly-traded companies to be more upfront about cyber security incidents.

To that end, the regulator has announced a proposed rule that would require prompt and ongoing disclosure of cyber security incidents.

SEC chair Gary Gensler said: “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”

The rule-making is currently open for comment.

“The proposed rules would require current and periodic reporting of material cyber security incidents,” the proposed rule [pdf] states.

“Additionally, we are proposing amendments that would require periodic disclosures
about a registrant’s policies and procedures to identify and manage cyber security risk, including the impact of cyber security risks on the registrant’s business strategy; management’s role and expertise in implementing the registrant’s cyber security policies, procedures, and strategies; and the board of directors’ oversight role, and cyber security expertise, if any”.

The disclosure timeframe proposed by the SEC would send a chill down corporate spines in Australia: the SEC proposes an amendment to Form 8-K “to add Item 1.05 to require registrants to disclose information about a cyber security incident within four business days after the registrant determines that it has experienced a material cyber security incident”.

Forms 10-Q and 10-K would also be amended so that companies would provide updates to security incidents they have already disclosed.

The SEC also wants companies to disclose what cyber security expertise exists on companies’ boards: the rule would “require disclosure about if any member of the registrant’s board of directors has cyber security expertise”.

The Form 8-K disclosure would require companies to report when an incidents was discovered and whether it is ongoing, along with a description of the nature and scope of an incident.

If data was “stolen, altered, accessed, or used for any other unauthorised purpose”, a victim company would have to say so, along with “the effect of the incident on the registrant’s operations”, and whether an incident has been or is being remediated.

Last November, US banks became subject to a rule requiring disclosure within 36 hours of discovering a cyber security incident.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
cyber securitydisclosurehackinfosecsecsecuritystrategy

Sponsored Whitepapers

Responding To Industry Trends And Our 5m+ Users
Responding To Industry Trends And Our 5m+ Users
The Future of Digital Identity in Government
The Future of Digital Identity in Government
Secure Public Services for Every Australian
Secure Public Services for Every Australian
7½ Questions for Aged Care's Digital Decisions
7½ Questions for Aged Care's Digital Decisions
Creating the Sustainable IT Department
Creating the Sustainable IT Department

Most Read Articles

Qantas brings technology under chief customer officer

Qantas brings technology under chief customer officer
Woolworths sheds light on 'dark store' ecommerce operations

Woolworths sheds light on 'dark store' ecommerce operations
Westpac tech teams impacted as bank cuts 300 staff

Westpac tech teams impacted as bank cuts 300 staff
ANZ deploys new algorithms, AI to tackle scams

ANZ deploys new algorithms, AI to tackle scams

Digital Nation

DeepAI founder on the risks of artificial intelligence
DeepAI founder on the risks of artificial intelligence
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data

Log In

  |  Forgot your password?