Bloomberg Law
"Publicly owned companies must comply with a new set of regulatory deadlines during the next week that will require swift disclosure of malicious cyberattacks on their networks and the processes in place to prevent them from happening again.
Entities subject to Securities and Exchange Commission authority will be required to file reports about data breaches within a shortened time frame, and must include additional specifics about the scope of any incidents, according to new SEC regulations effective Dec. 18. In-depth descriptions of a company’s cybersecurity governance will also be required in annual disclosures starting Dec. 15.
The updated obligations take effect as the SEC prosecutes a case against software developer SolarWinds Corp. that could indicate how aggressively the agency will enforce alleged disclosure violations. The new guidelines also come while government officials attempt to streamline more than 50 overlapping incident reporting requirements across federal agencies.
The agency began updating the regulations in October 2021 before requesting public feedback on the proposed rules in March 2022.
“Firms have to make real-time decisions when responding to cyber events and around related disclosures, especially when there are ongoing attacks, or even ongoing internal and criminal investigations,” SEC Enforcement Director Gurbir S. Grewal said during a June speech in which he emphasized that those decisions affect customers whose data’s been compromised. “Those decisions may also be material to investors in publicly-traded companies...”
This article was originally posted on Bloomberg Law.
To read the rest of the article click here.
