SEC proposes requiring companies to report cyberattacks within four days
WASHINGTON — Federal regulators are considering requiring publicly traded companies to disclose data breaches and other significant cybersecurity incidents within four days, as they seek to strengthen capabilities recovery of financial markets from online attacks.
The Securities and Exchange Commission proposed a rule on Wednesday that would impose mandatory reporting on companies about cybersecurity. The Trustees voted 3-1 to make the proposal, which could be finalized after the agency received and analyzed the response from the public.
“Unfortunately, cybersecurity incidents happen a lot,” SEC Chairman Gary Gensler said in prepared remarks, noting that successful attacks affect finances, operations and company’s reputation. “As a result, investors are increasingly looking for information about cybersecurity risks, which can affect their investment decisions and returns.” Mr. Gensler was nominated by President Biden.
SHARE YOUR THOUGHTS
Are you in favor of harsher rules for regulating cryptocurrencies? Join the conversation below.
Companies have long been required to notify the market about risks and incidents they deem important to investors, and in recent years the SEC has reminded them to do so promptly. related to network security. But agency officials say the companies’ disclosure of such information is inconsistent.
An analysis of 2018 legal filings by former Democratic SEC commissioner Robert Jackson found that about 90% of known cyber incidents at public companies went undisclosed.
Officials said Wednesday’s proposed rules would be more regulatory in nature.
In addition to reporting major cybersecurity events within four days of their discovery, companies will be required to provide periodic updates on previous incidents. They will also be required to report when “a series of previously undisclosed, individual cybersecurity events have become significant factors in the aggregate.”
The annual reports will also outline a company’s policies for identifying and managing cybersecurity risks, and indicate whether any member of that company’s board of directors has security expertise. network security or not.
The SEC will consult on the proposal for at least 60 days before deciding whether to issue a final rule.
Ransomware attacks are increasing in frequency, the number of victims is skyrocketing, and hackers are shifting their targets. The WSJ’s Dustin Volz explains why these attacks are on the rise and what the US can do to combat them. Artwork: Laura Kammermann
Write letter for Paul Kiernan at paul.kiernan@wsj.com
Copyright © 2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8
https://www.wsj.com/articles/sec-considers-rule-requiring-firms-to-report-cyber-attacks-within-four-days-11646838001?mod=rss_markets_main SEC proposes requiring companies to report cyberattacks within four days
