SEC Adopts New Rules for Disclosure of Cybersecurity Incidents


New rules involve immediate and annual reporting requirements.

The U.S. Securities and Exchange Commission (SEC) has adopted new rules for disclosure of cybersecurity incidents and risk management by publicly traded companies.

Under the new requirements, registrants must:

  • Disclose any cybersecurity incident that they “determine to be material and to describe the material aspects of the incident's nature, scope, and timing” as well as the incident’s material impact within four days.
  • Annually disclose their processes, if any, “for assessing, identifying, and managing material risks from cybersecurity threats.”
  • Annually describe the “board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”

The SEC will also require foreign private issuers to make comparable disclosures. The rules “will benefit investors, companies, and the markets connecting them,” says SEC Chair Gary Gensler.




Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=