Companies will have four business days to report to the agency from the time they determine that the incident was material.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement.
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” he added.
Under the new rule, companies will have to disclose the incident’s nature, scope, timing and impact.
Companies will also have to explain the processes they have in place to assess, identify and manage risks from cyber threats.
Read more in a full report at TheHill.com.