Connect with us

Hi, what are you looking for?



SEC Says Companies Must Disclose Cybersecurity Incidents Within 4 Days

The SEC has adopted new rules requiring public companies to disclose cybersecurity breaches that have a material impact within four days.

Concerns raised over SEC’s new cyber incident disclosure rules helping hackers 

The US Securities and Exchange Commission (SEC) announced on Wednesday that it has adopted new cybersecurity incident disclosure rules for public companies, but there is some concern that the new rules might actually be helping hackers.

The goal of the new rules is “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents”. 

Publicly traded companies will be required to disclose, through a Form 8-K filing, any material cybersecurity breach within four business days, unless otherwise instructed by the US attorney general due to substantial risk to national security or public safety. 

The SEC filing must describe the incident’s nature, timing, scope and material impact (or likely material impact). It’s worth noting that the timer for the four days starts the moment the victim determines that an incident is material.

Companies will also have to regularly provide information on their processes for identifying, assessing and managing risks associated with cyber threats, as well as on material impact from threats and previous incidents. 

Information on the board of directors’ oversight of cybersecurity risks and management’s expertise and role in managing cybersecurity-related material risks will also need to be provided.

Advertisement. Scroll to continue reading.

The Form 8-K disclosures will be required starting 90 days after the publication of the rules in the Federal Register or December 18, 2023. Smaller companies have been given an additional 180 days. 

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

While some have applauded the SEC’s efforts to ramp up expectations for companies, others are not happy with the new rules. 

The rules passed by a 3-2 vote and one of those who voted against it is SEC commissioner Hester Peirce, who raised concerns that the requirements will harm investors due to the additional costs associated with the disclosure process.

In addition, Peirce pointed out that the disclosure requirements could actually help cybercriminals. 

“The strategy and governance disclosures risk handing them a roadmap on which companies to target and how to attack them. The 8-K disclosures, which are unprecedented in nature, could then tell successful attackers when the company finds out about the attack, what the company knows about it, and what the financial fallout is likely to be (i.e., how much ransom the attacker can get),” Peirce said.

“The requirement to file an amended 8-K when new information comes in will provide the attacker regular updates on the company’s progress. The 8-K disclosures also will signal to other would-be attackers an opportune time to attack. The careful drafting necessary to avert some of these problems will be difficult in the four-day filing timeframe,” Peirce added.

It’s worth noting that these concerns are mentioned in the SEC’s document, but the risk is described as “justified by investors’ need for timely information”. 

Related: How to Prepare for New SEC Cybersecurity Disclosure Requirements

Related: Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy

Related: Fulfilling Expected SEC Requirements for Cybersecurity Expertise at Board Level

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.


Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.


CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.


TSA instructs airport and aircraft operators to improve their cybersecurity resilience and prevent infrastructure disruption and degradation.