New SEC rules put a time limit on reporting hacks and data breaches

Illustration by Amelia Holowaty Krales / The Verge

Public companies will now have to disclose cybersecurity incidents sooner, thanks to a rule adopted by the Securities and Exchange Commission. Under the new policy, the SEC will require public companies to report data breaches and hacks four business days after they are discovered.

Companies will have to disclose any cybersecurity incidents on a Form 8-K filing. These publicly available documents typically inform shareholders about major changes to the company — and now they’ll include a new Item 1.05 for cybersecurity incidents. The disclosure should include information on “nature, scope, and timing,” as well as “its material impact or reasonably likely” on the company.

We @SECGov adopted rules regarding cybersecurity disclosures by…

Continue reading…

Share this Article