Public companies will need to disclose the cybersecurity incidents they experience and annually disclose information regarding their cybersecurity risk management, strategy and governance, under a rule announced Wednesday by the US Securities and Exchange Commission.
The SEC also announced rules requiring foreign private issuers to make comparable disclosures.
Senior living and care providers are particularly vulnerable to cyber attacks. As McKnight’s previously reported, healthcare providers are among the most frequently pursued cyberattack targets, largely because the data stored in their systems have become lucrative, according to LeadingAge’s cybersecurity white paper. It notes the value of information, combined with weak security defenses, makes healthcare a popular hunting ground for cybercriminals.
According to the SEC, evidence suggests that companies may be underreporting cybersecurity incidents.
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way,” SEC Chair Gary Gensler said in a statement Wednesday. The new rules will benefit investors, companies and the markets in general, he added.
Public companies will be required to report a cybersecurity incident within four days, unless the US Attorney General notifies the SEC that immediate disclosure would pose a substantial national security or public safety risk. The companies will use the new Item 1.05 of Form 8-K to describe the material aspects of the incident’s nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant. They also must describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats.
“The rule, first proposed in March 2022, forms part of a broader SEC effort to harden the financial system against data theft, systems failure and cyber-intrusions,” Reuters reported.
Republican commissioners, however, dissented about the rule, saying that it was redundant and burdensome for companies and “could offer hackers a roadmap to their targets’ vulnerabilities and the size of ransom to be demanded,” media outlet reported.
The SEC also addressed threats from artificial intelligence.
“Recent developments in artificial intelligence may exacerbate cybersecurity threats, as researchers have shown that artificial intelligence systems can be leveraged to create code used in cyberattacks, including by actors not versed in programming,” the commission noted.
The final rules will become effective 30 days following publication of the adopting release in the Federal Register. Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after Dec. 15
