Wall Street regulator to mandate listed companies spell out cyber risks

This post was originally published on this site


WASHINGTON (Reuters) – Wall Street’s watchdog is set to unveil a rule on Wednesday that aims to enhance how public companies disclose when they experience a breach, and how soon.

Under the proposed Securities and Exchange Commission (SEC) measures, a company would have to spell out when it experiences a risk and what strategies it has employed to address and manage such risks in current report filings, including Form 8-K.

The rule changes, which are subject to public consultation, would also require an analysis of how the cyber risks are likely to affect the firm’s financials. This would allow investors to assess these risks more effectively, and to locate them more readily, the SEC said.

The changes come a time of growing regulatory concern about how cyber security issues could affect markets and investors. Regulators have warned, for example, of cyber attacks from Russia in retaliation for western sanctions.

President Joe Biden’s administration has also ratcheted up its focus on the issue after a recent series of high-profile cyber attacks on U.S.-based companies.

When companies have an obligation to disclose material information to investors, they must be complete and accurate, SEC chair Gary Gensler said in a statement.

“Their disclosures also should be timely,” he added.

Wednesday’s measure would also require updates in periodic reports to give investors more complete information on previously disclosed, material cybersecurity incidents, the agency said.

The proposals would build on existing SEC cyber risk guidance, which is set to remain in effect, even under the SEC’s new rules, an agency official told reporters.

“How a company might think about the impact (of a breach) to management’s discussion and analysis of financial conditions … should still be taken into consideration,” the official added.