The Securities and Exchange Commission (SEC) adopted a rule this week that will require publicly traded companies to report significant cyber incidents that are “material” to investors, The Hill reported. Companies will have four business days to report to the agency from the time they determine that the incident was material. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” he added. Under the new rule, companies will have to disclose the incident’s nature, scope, timing and impact.
