SEC to mandate listed companies spell out cyber risks

(Reuters) — The U.S. Securities and Exchange Commission is set to unveil a rule on Wednesday to enhance how public companies disclose when they experience a breach and how soon.

Under the proposed SEC measures, a company would have to spell out when it experiences a risk and what strategies it has employed to address and manage such risks in current report filings, including Form 8-K.

The rule changes, which are subject to public comment, would also require an analysis of how the cyber risks are likely to affect the company’s financials. This would allow investors to assess these risks more effectively and to locate them more readily, the SEC said.

The changes come at a time of growing regulatory concern about how cybersecurity issues could affect markets and investors. Regulators have warned, for example, of cyberattacks from Russia in retaliation for western sanctions.

President Joe Biden’s administration has also ratcheted up its focus on the issue after a recent series of high-profile cyberattacks on U.S.-based companies.

When companies have an obligation to disclose material information to investors, they must be complete and accurate, SEC Chair Gary Gensler said in a statement.

“Their disclosures also should be timely,” he added.

Wednesday’s measure would also require updates in periodic reports to give investors more complete information on previously disclosed, material cybersecurity incidents, the agency said.

The proposals would build on existing SEC cyber risk guidance, which is set to remain in effect, even under the agency’s new rules, an SEC official told reporters.

This website states: The content on this site is sourced from the internet. If there is any infringement, please contact us and we will handle it promptly.