Security chiefs and corporate lawyers are wrestling with how much information to report about cyberattacks under new disclosure rules, worried that saying too much might invite lawsuits and more hacks.
Starting Friday, the Securities and Exchange Commission will oblige companies to disclose how they manage cyber risk in annual reports, known as 10-Ks. Companies will be expected to detail how they assess threats and protections, and to what degree their boards exercise oversight on cyber issues. Annual filings must also describe the potential material effects of a successful attack.
When hackers strike, companies must report the cyberattack to the SEC no later than four business days after they determine the incident will have a material impact on operations, using an 8-K form. That obligation comes into force on Monday.
Companies have complained about the four-day reporting window and the difficulty of determining what constitutes materiality, but some security chiefs say that larger companies should already be doing most of what is required in the rules, at least for annual reporting.