720-891-1663

Return to list of client alerts

New SEC Rule – Companies Must Disclose MATERIAL Cyber Incidents in Four Days

Just recently the SEC delayed the implementation of two other cyber rules, both much broader than this.

While this rule is good, there is a lot of wiggle room – that will no doubt be the source of any number of class action lawsuits. The wiggle room is the term in caps above.

When is an incident material? Ultimately, there will be case law, but currently there is none. Some companies will decide to play it safe and likely over disclose. Others will play the odds, risk the wrath of the SEC and the class-action bar and under disclose.

Under the new rules, companies will be required to give the SEC relevant details of any incident’s “nature, scope and timing” and offer information about how they believe the event will impact them. The disclosure will be required within four days AFTER THE COMPANY DECIDES THE INCIDENT IS MATERIAL.

Moody’s, the risk rating firm, says the rules will provide more transparency into an otherwise opaque but growing risk. That sentence is an understatement. Very opaque and significantly growing.

Companies will also be required to explain how they identify and manage significant cyber threats and also explain risks from previous incidents.

The new rule also requires companies to explain how their boards of directors supervise cyber risk. THESE DETAILS WILL BE REQUIRED TO APPEAR IN COMPANIES’ ANNUAL REPORTS.

The rules are effective in December although small companies will have an extra 180 days to comply.

If your company requires assistance in complying with these new rules, please contact us.

Credit: The Record