Listed US Firms Must Disclose Cyber Breaches In Four Days

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

US financial regulator adopts new rules to require publicly traded companies to disclose hacking incidents in just four days

The US financial regulator, the Securities and Exchange Commission (SEC), has adopted new rules governing the disclosure of data breaches and cyber incidents.

The SEC announced that it has “adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”

The new rules means that publicly traded firms in the US have to disclose cyber or hacking incidents within four days. It comes after a number of high profile firms and organisations have been accused of failing to disclose a cyber incident in a suitable time frame, or even covering up an attack.

security, hacking

Cyber disclosures

Besides now requiring publicly traded US firms to disclose cyber incidents, the SEC also adopted rules requiring foreign private issuers to make comparable disclosures.

Essentially the SEC wants to make cyber disclosures mandatory for Americans seeking to invest their money with different firms.

“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors.”

“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” said Gensler. “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.

An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material, said the SEC.

However if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety, the disclosure may be delayed.

The SEC said that the final rules will become effective 30 days following publication of the adopting release in the Federal Register.

Companies will also have to describe periodically what efforts they are making to identify and manage threats in cyberspace.

Broker AI proposal

Meanwhile the SEC also this week has proposed new requirements to tackle risks to investors from conflicts of interest associated with the use of predictive data analytics by broker-dealers and investment advisers.

These proposed new requirements come after the 2021 “meme stock” rally, when US officials found robo-advisers and brokers had used AI and game-like features to drive trading.

So what exactly is the SEC proposing?

Well the proposed new SEC rules will require broker-dealers and investment advisers to take certain steps to address conflicts of interest associated with their use of predictive data analytics and similar technologies to interact with investors to prevent firms from placing their interests ahead of investors’ interests.

“We live in an historic, transformational age with regard to predictive data analytics, and the use of artificial intelligence,” said SEC Chair Gary Gensler. “Today’s predictive data analytics models provide an increasing ability to make predictions about each of us as individuals.”

“This raises possibilities that conflicts may arise to the extent that advisers or brokers are optimising to place their interests ahead of their investors’ interests,” said Gensler. “When offering advice or recommendations, firms are obligated to eliminate or otherwise address any conflicts of interest and not put their own interests ahead of their investors’ interests.”

“I believe that, if adopted, these rules would help protect investors from conflicts of interest – and require that, regardless of the technology used, firms meet their obligations not to place their own interests ahead of investors’ interests,” Gensler concluded.

The SEC noted that broker or adviser use of technologies to optimise for, predict, guide, forecast, or direct investment-related behaviours or outcomes has accelerated.

It added that the use of such technologies can be beneficial to investors in providing greater market access, efficiency, and returns. But it could allow these firms to use this tech in a manner that places their own interests ahead of investors’ interests.

Building off existing legal standards, the proposed rules generally would require a firm to evaluate and determine whether its use of certain technologies in investor interactions involves a conflict of interest that results in the firm’s interests being placed ahead of investors’ interests.