New SEC Rules Aim to Curb Investor Costs When Companies Are Hacked

Publicly traded companies would need to disclose cybersecurity breaches in 4 days

person trading stocks on their phone
(Image credit: Getty Images)

The Securities and Exchange Commission (SEC) has adopted new rules requiring public companies to disclose within four days material cybersecurity breaches that could affect investors.

In a statement announcing the decision, SEC Chair Gary Gensler acknowledged that many public companies already disclose cybersecurity events to investors.

“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way,” Gensler said. The rules will benefit investors, companies and the markets connecting them, he added.

Subscribe to Kiplinger’s Personal Finance

Be a smarter, better informed investor.

Save up to 74%

Sign up for Kiplinger’s Free E-Newsletters

Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.

Profit and prosper with the best of expert advice - straight to your e-mail.

Sign up

Companies must also periodically spell out their efforts to manage, strategize and govern cyber attacks in cyberspace, the SEC said.

First proposed in March 2022, the rule is part of a broader SEC effort to reinforce the financial system against systems failure, data theft and cyber-intrusions.

Kathryn Pomroy

For the past 18+ years, Kathryn has highlighted the humanity in personal finance by shaping stories that identify the opportunities and obstacles in managing a person's finances. All the same, she’ll jump on other equally important topics if needed. Kathryn graduated with a degree in Journalism and lives in Duluth, Minnesota. She joined Kiplinger in 2023 as a contributor.