The US Securities and Exchange Commission (SEC) announced new cybersecurity incident disclosure rules for public companies on Wednesday. The SEC hopes new guidelines will improve risk management, but some are concerned the rules will help hackers instead.
The guidelines state that public companies must disclose cyber incidents via Form 8-K filings within four business days. Companies must also share information regarding the board of directors’ or management’s expertise in managing cybersecurity, as well as all current cyber threat mitigation strategies with the SEC. Large organizations must comply within 90 days of the Federal Register’s update on December 18, while smaller businesses have an additional 180 days. Some critics noted that the 8-K disclosures could help cybercriminals determine cybersecurity infrastructure and track a company’s security developments over time.
Read More: