New SEC Rules: U.S. Companies Must Disclose Cyber Attacks Within 4 Days
The U.S. Securities and Exchange Commission (SEC) has approved new rules that require publicly traded companies to disclose cyber attacks within four days of identifying a "material" impact on their finances. SEC Chair Gary Gensler emphasized the need for consistent and informative disclosure to benefit both companies and investors.
The new rules mandate companies to disclose the nature, scope, timing, and impact of the cyber attack. However, in cases where revealing specifics may jeopardize national security or public safety, disclosure can be delayed for up to 60 days.
Additionally, companies are now required to provide annual descriptions of their methods and strategies for assessing, identifying, and managing material risks from cybersecurity threats. They must also share details about any material effects or risks resulting from these events and information regarding ongoing or completed remediation efforts.
In recent months, over 500 companies fell victim to a cyber attack spree conducted by the ransomware group Cl0p. The attacks were facilitated by exploiting critical flaws in commonly used enterprise software, with the threat actors adopting new methods to exfiltrate stolen data. This information was reported by Kroll.
In response to these incidents, Amit Yoran, the CEO and Chairman of Tenable expressed strong support for the new rules on cyber risk management and incident disclosure. He emphasized that these rules are "right on the money" and represent a "dramatic step toward greater transparency and accountability."
Source: https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html