The SEC now compels corporations to report cyberattacks within 4 days.

The Securities and Exchange Commission of the United States has proposed new regulations requiring publicly traded businesses to disclose cyberattacks within four business days after finding they are material occurrences.

Material occurrences, according to the Wall Street watchdog, are ones that a public company's shareholders would deem relevant "in making an investment decision."

In addition, the SEC approved new regulations requiring foreign private issuers to publish identical disclosures in the aftermath of cybersecurity breaches.

Listed firms must now publish information about the cyberattack (including the nature, scale, and timing of the incident) in their periodic report filings, specifically on 8-K forms.

The new cybersecurity incident reporting regulations will go into effect in December, or 30 days after they are published in the Federal Register.

Smaller corporations, on the other hand, will be given an additional 180 days before being compelled to file Form 8-K filings.

If the US Attorney General determines that immediate disclosure would pose a severe risk to national security or public safety, the disclosure timetable may be postponed.

Source: https://www.bleepingcomputer.com/news/security/sec-now-requires-companies-to-disclose-cyberattacks-in-4-days/