The Securities and Exchange Commission voted to adopt final rules requiring public companies to disclosure material cybersecurity attacks to the public at a meeting Wednesday.
The rules will require companies to determine whether a cyber attack it has suffered will have a material impact on its operations, and then disclose the event within four days of that determination.
Public companies will also have to describe any processes they have to manage material risks from cyber security threats.
Any disclosures can be delayed if the U.S. Attorney General determines that immediate disclosure would pose a major risk to national security or public safety and notifies the SEC of that determination.
The rules “will enhance and help standardize disclosures to investors with regard to these public company cybersecurity practices,” said SEC Chair Gary Gensler.
“Currently, many public companies provide cybersecurity disclosure for investors. I think companies and investors alike however, would benefit if this disclosure were made in a more consistent, comparable and decision decision useful way,” he added.
The SEC’s interest in cyber attacks follows major corporate hacks in recent years, including 2020’s Solar Winds attack, which went unnoticed for months and threatened 18,000 companies and government agencies, and the 2021 Colonial Pipeline hack that led to widespread gasoline shortages in the U.S. Northeast.
Those attacks also motivated lawmakers to pass legislation last year requiring companies to report certain cyber incidents to the the Cybersecurity and Infrastructure Security Agency and the U.S. Department of Homeland Security, though unlike SEC disclosures, that information would not be available to the public.
The rule will become effective 30 days after its publication in the Federal Register.
This post was originally published on Market Watch