SEC proposes mandatory breach reporting for publicly traded companies

Gary Gensler, chair of the Securities and Exchange Commission, testifies at a Senate hearing in September 2021.

Gary Gensler, chair of the Securities and Exchange Commission, testifies at a Senate hearing in September 2021. Evelyn Hockstein/AFP via Getty Images

Find opportunities — and win them.

The Securities and Exchange Commission is proposing new rules requiring companies to disclose to investors material cybersecurity incidents within four business days.

The Securities and Exchange Commission has proposed an expansion of cybersecurity regulations for public companies, including mandatory timeframes for reporting material cybersecurity incidents.

The proposed amendments would require registrants to provide investors with disclosures of "material" cybersecurity incidents within four business days of their initial discovery, along with updated disclosures around previous cybersecurity incidents. 

Companies would also be required to provide more comprehensive and standardized disclosures of their cybersecurity strategies, governance and risk management under the proposals, including to what extent they prioritize cybersecurity in their financial and business planning. 

SEC Chair Gary Gensler said Wednesday the proposed amendments would provide investors with enhanced disclosures around cybersecurity incidents, along with critical information about a registrant's cybersecurity risk management, after a bipartisan group of lawmakers called for expanded cybersecurity incident reporting requirements in a letter sent to the commission last month.

Gensler described cybersecurity as an emerging risk in a statement announcing the proposed amendments and said investors would benefit if incident disclosures were standardized "in a consistent, comparable, and decision-useful manner." He added that the proposed amendments would also provide investors with increased insight into a companies' cyber posture and incident reporting practices. 

As part of an effort to standardize cybersecurity incident reporting, the commission proposed requiring all disclosures to be presented in the machine-readable data format xBRL. Registrants would also be required to disclose their board's oversight policies for cybersecurity risks, and what expertise and role management has in the process of developing its cybersecurity policies. 

The Feb. 8 letter urging the commission to propose new cybersecurity rules was signed by Sens. Jack Reed (D-R.I.) Angus King (I-Maine), Susan Collins (R-Maine), Mark Warner (D-Va.), Kevin Cramer (R-N.D.), Catherine Cortez Masto (D-Nev.) and Ron Wyden (D-Ore).

A spokesperson for Sen. King told FCW at the time that mandatory reporting requirements would help "dramatically improve America's real-time awareness of the threat landscape," adding: "Without a clear view of the challenges the nation faces in both the public and private sector, we lack the full information to protect our networks."