The US Securities and Exchange Commission today proposed legal changes that would require publicly traded companies to disclose material cybersecurity incidents within four days of such a breach.
The SEC also wants to require “periodic disclosures” of the impact of ongoing cybersecurity threats in regularly scheduled quarterly 10-Q and annual 10-K reports filed by publicly traded firms, further increasing the mandate for transparency on cybersecurity issues. The more immediate reports disclosing security incidents would be filed in 8-K forms, used for unscheduled disclosures.
The idea is to protect investors by improving their ability to inform themselves about the risks involved in investing in a given company, according to the SEC. Given the severity of the threat posed by bad cybersecurity actors, a breach could have a huge impact on a company’s stock value and line of business, the commission said in a statement.