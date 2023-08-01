- Advertisement -

Organisations operating in the US will have to get to grips with strict new cyber breach reporting regulations, handed down this week by the Securities and Exchange Commission (SEC).

The rules will apply to all US-listed companies, including Foreign Private Issuers – bodies primarily organised outside the US but that maintain secondary listings there.

They oblige organisations to disclose material cyber security incidents within a four-day period from the point at which a breach is determined to be material, although delays will be permitted if an immediate disclosure would pose a risk to national security or public safety, and it is unclear if this is a relevant factor beyond US borders.

Going forward, organisations will also have to disclose material information on their cyber risk management, strategy and governance on an annual basis.

“Whether a company loses a factory in a fire – or millions of files in a cyber security incident – it may be material to investors,” said SEC chair Gary Gensler.

“Currently, many public companies provide cyber security disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way.

“Through helping to ensure that companies disclose material cyber security information, today’s rules will benefit investors, companies and the markets connecting them,” he said.

