The US Securities and Exchange Commission (SEC) proposed to oblige public companies to report cyber attacks on their networks within four days and regularly provide plans for managing cyber risks.
The SEC has proposed amendments to Form 8-K requiring companies to notify of incidents “within four days after they encounter a material security incident.”
Form-8 is a broad form used to notify investors in US public companies of significant events and corporate changes that may affect shareholders.
The SEC also proposed amendments to the requirements for quarterly (10-Q) and annual (10-K) reports, obliging companies to provide new information about previously undisclosed incidents. This includes oversight by the board of directors, detailed information about the experience of board members in the field of cybersecurity, as well as the role and experience of management in relation to cyber risks and the implementation of cybersecurity policies, procedures and strategies.
Earlier this month, the US Senate unanimously passed the Law on Strengthening American Cybersecurity from 2022. Among other things, the law requires critical infrastructure operators and federal agencies to report cyberattacks and ransoms paid to cyber extortionists. The proposed law was sent to the House of Representatives for a vote.