July 27, 2023

New Rule Lays Out How Quickly Firms Must Disclose Hacks (Ignites)

The Securities and Exchange Commission voted on Wednesday to adopt a rule that requires all publicly traded companies to disclose cyberattacks, using a Form 8-K, within four business days of the firm determining that the hack was material. The four-day timeline could become an issue for potential amendments to the 8-K, said Kaylee Cox Bankston, a Data, Privacy & Cybersecurity partner. “It may be difficult [to comply] as investigations are unfolding and you’re learning new facts every day,” she said to Ignites. “Sometimes you don’t have information to get the full picture of what happened, or it may be several weeks or even months in some cases.”