All public US companies are required to report & disclose any cyber breach or incident to the SEC within 4 business days of an event.
Key Requirements of Proposed Incident Disclosure Rules
Incident reporting: The proposed rules would amend Form 8-K to add new Item 1.05 to require companies to provide disclosure within four business days after the company determines that it has experienced a material “cybersecurity incident” as defined in proposed Regulation S-K Item 106(a). Materiality for purposes of the proposed rules would be consistent with the standard established by case law. The required disclosure would include:
When the incident was discovered and whether it is ongoing;
A brief description of the nature and scope of the incident;
Whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
The effect of the incident on the company’s operations; and
Whether the company has remediated or is currently remediating the incident.
Importantly, the proposed rule defines the trigger for Item 1.05 of Form 8-K as the date on which the company determines that a cybersecurity incident it has experienced is material, rather than the date of discovery of the incident.