Companies would face more pressure to alert the public of hacks or other significant cybersecurity incidents under a new plan from the U.S. Securities and Exchange Commission.
The SEC will consider a proposal on Wednesday that would require publicly-traded firms to disclose breaches within four days. The demands would apply to incidents that are considered “material” or important to the average investor.
The plan is the latest move by Wall Street’s main regulator to prod companies to be more transparent when attacks occur after years of high-profile incidents. Last month, the SEC proposed requiring investment companies to bolster their cybersecurity systems.
“Cybersecurity incidents, unfortunately, happen a lot,” SEC Chair Gary Gensler said in a statement. “A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable and decision-useful manner.”
Companies currently rely on 2018 SEC guidance to determine when to disclose incidents, which does not specify a time frame for notifying the public.
In addition to the requirements that publicly-traded firms disclose a major incident, the SEC’s plan would also:
- Require companies to report information about how they manage cyber risks in their annual reports
- Amend the form that companies use to report significant news to be useful for disclosing hacks
After the commissioner’s expected vote on Wednesday, the plan will be subject to public comment. The SEC will hold another vote months later to finalize the rules after taking into account those responses.