Close Menu
TechTost
  • AI
  • Apps
  • Crypto
  • Fintech
  • Hardware
  • Media & Entertainment
  • Security
  • Startups
  • Transportation
  • Venture
  • Recommended Essentials
What's Hot

12 states sue to block $110 billion Paramount deal from Warner Bros

Apple says ex-employee exploited ‘rare’ bug to download confidential files after leaving for OpenAI

SpaceX decided to fly Starship again after the booster failed in May

Facebook X (Twitter) Instagram
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
  • Disclaimer
Facebook X (Twitter) Instagram
TechTost
Subscribe Now
  • AI

    Should artificial intelligence help you get away with murdering your husband?

    13 July 2026

    Meta enters the crowded AI coding fray with Muse Spark 1.1

    13 July 2026

    Can AI answer the $3 trillion question?

    12 July 2026

    OpenAI shuts down Atlas, but AI browser ambitions keep growing

    12 July 2026

    OpenAI bets on families as ChatGPT goes deeper into households

    11 July 2026
  • Apps

    As TV-watching app TV Time shuts down, its founder creates Bingers, a new home for fans

    13 July 2026

    Elon Musk says X will send DMs when posts you’ve interacted with are fixed

    13 July 2026

    ‘Slow-cial’ Roost app forces you to slow down to the speed of a carrier pigeon

    12 July 2026

    Character.AI is entering the micro-drama arena with its own productions, but there’s a twist

    12 July 2026

    A new app, HyperTexting, turns the open web into a social media scrolling-like stream

    11 July 2026
  • Crypto

    Venice AI goes unicorn with $65M Series A as first privacy AI platform takes off

    1 July 2026

    Crypto Exchange OKX wants AI agents to hire and pay each other

    30 June 2026

    Startup Battlefield 200 applications close today

    27 May 2026

    5 days left: Save up to $410 on Disrupt 2026 passes

    25 May 2026

    As crypto cools, a16z crypto raises $2.2 billion in capital

    6 May 2026
  • Fintech

    Don’t want to invest in Elon Musk? Two new ETFs expressly exclude him

    10 July 2026

    India’s payments chief believes artificial intelligence will play a big part in the next era of digital payments development

    28 June 2026

    Early Bird pricing ends tonight for the Founder Summit

    26 June 2026

    4 days left to save up to $190 on Founder Summit 2026

    23 June 2026

    Robinhood’s note on 10% layoffs shows that blaming AI doesn’t cut it

    17 June 2026
  • Hardware

    Meta’s new AI chips will begin production in September

    12 July 2026

    This slush machine was a lifesaver during the New York heat wave

    12 July 2026

    Dumb Co dared me to exchange my iPhone for a hacked phone

    11 July 2026

    SK Hynix raises $26.5 billion in largest foreign public IPO in US history, set to build new fabs in US

    11 July 2026

    After Apple, smartphone manufacturing boom in India enters new phase with Vivo JV

    10 July 2026
  • Media & Entertainment

    12 states sue to block $110 billion Paramount deal from Warner Bros

    14 July 2026

    Netflix could be planning “always on” live TV channels.

    11 July 2026

    Netflix is ​​dealing with shorter video content with its new set of publisher deals with Variety and others

    8 July 2026

    Netflix invented binge watching. Now he may be over it.

    7 July 2026

    New Google ad imagines a Declaration of Independence written with the help of artificial intelligence

    4 July 2026
  • Security

    Apple says ex-employee exploited ‘rare’ bug to download confidential files after leaving for OpenAI

    13 July 2026

    US cybersecurity agency CISA had to create the incident guide during the incident, the agency reveals

    11 July 2026

    Florida ransomware dealer convicted of helping ransomware gang extort US companies

    10 July 2026

    Hacktivists call out Trump by hacking and defacing US military websites

    8 July 2026

    Canada’s spy agency says it hacked drug traffickers, extremists and a ransomware gang last year

    6 July 2026
  • Startups

    AI chip maker SambaNova raises $1 billion at $11 billion valuation, 5 months after last mega round

    12 July 2026

    Hot French startup ZML releases free product to speed up inference on multiple AI chips

    12 July 2026

    Former OpenAI executive Kevin Weil is now on Stoke Space’s board

    11 July 2026

    Phia Accused of ‘Cookie Stuffing’, Taking Affiliate Credit for Unearned Purchases

    11 July 2026

    Oratomic raises $300M to build sustainable quantum computer that only needs 20,000 qubits

    10 July 2026
  • Transportation

    SpaceX decided to fly Starship again after the booster failed in May

    13 July 2026

    TechCrunch Mobility: A robotaxi ultimatum

    12 July 2026

    Slate Auto partners with Crayola to paint its EV truck

    10 July 2026

    Autonomous drone delivery startup Manna plans major US expansion

    9 July 2026

    Federal authorities are demanding that autonomous vehicle companies stop interfering with first responders

    9 July 2026
  • Venture

    Filed Under: College Fizz App Accuses VC Of Sharing Confidential Startup Info With Rival Sidechat

    11 July 2026

    Charles Hudson shares the common mistakes he’s seen after investing in 500+ startups

    10 July 2026

    Nandan Nilekani steps down as GP at Fundamentum as it launches third $200m fund

    9 July 2026

    What are bending spoons? The little-known owner of AOL and Vimeo who is now public

    5 July 2026

    After $18B IPO, Bending Spoons Founder Says Success Comes From Minimizing Luck

    2 July 2026
  • Recommended Essentials
TechTost
You are at:Home»Security»As the SEC’s new data breach disclosure rules take effect, here’s what you need to know
Security

As the SEC’s new data breach disclosure rules take effect, here’s what you need to know

techtost.comBy techtost.com24 December 202307 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Email
As The Sec's New Data Breach Disclosure Rules Take Effect,
Share
Facebook Twitter LinkedIn Pinterest Email

Starting today, on December 18, public companies operating in the US must comply with a new set of rules requiring them to disclose “material” cyber incidents within 96 hours. The regulation represents a significant upheaval for agencies, many of which have argued that the new rules open them up to more risks and that four days is not enough time to confirm a breach, understand its impact or coordinate alerts.

Regardless, those who don’t comply — whether a new entrant or a decades-old publicly held company — could face significant consequences courtesy of the US Securities and Exchange Commission (SEC).

What do businesses need to know?

In accordance with incoming cyber security disclosure requirements, was first approved by the Securities and Exchange Commission in July, organizations must report cybersecurity incidents, such as data breaches, to the SEC on a specific line item in a Form 8-K report within four business days. According to the regulator, the rules are intended to increase visibility into cybersecurity governance and provide disclosure in a more “consistent, comparable and useful way for decision-making” that will benefit both investors and companies.

“Whether a company loses a factory in a fire — or millions of records in a cyber security incident — it can matter to investors,” SEC Chairman Gary Gensler said at the time.

In an 8-K filing, breached organizations must describe the nature, scope, timing and material effects of the incident, including financial and operational. Specifically, the regulation does not require companies to disclose information “regarding the incident recovery status, whether it is ongoing, and whether data has been breached,” as this could jeopardize ongoing recovery efforts.

“This means companies must have the appropriate controls and processes in place to ensure that a materiality determination can be made once a cybersecurity incident is identified,” Jane Norberg, partner in the Securities Enforcement Defense practice at the Washington, D.C.-based law firm. . Arnold & Porter. “Practically speaking, companies will also want to consider having the incident response team in the process chain when making materiality determinations.”

Norberg added, “The rule also includes breaches of registrant information that may be in a third-party system. This means that a company should collect and evaluate information and make materiality determinations based on breaches of third-party systems.”

“I seem to be the person who criticizes the SEC less than everyone else because I think they should be praised for trying to set rules.” Joe Sullivan, former CSO of Uber

Smaller companies, which the SEC defines as companies with a public float of less than $250 million or less than $100 million in annual revenue, will get a 180-day extension before they need to file their Form 8-K disclosing an incident.

There is also an exception to the four-day deadline for larger organizations, a clause added after businesses argued that early disclosure of a cyber vulnerability or incident could hinder ongoing law enforcement investigations. The SEC says disclosure can be delayed if the US attorney general determines that notifying shareholders of the incident “would pose a significant risk to national security or public safety.”

The FBI will be responsible for collecting delay request forms and forwarding viable ones to the Department of Justice.

In addition to the SEC’s new data breach disclosure rules, the regulator has also added a new line item called Item 106 to Regulation SK to be included in a company’s annual Form 10-K filing. This will require businesses to outline their process “for assessing, identifying and managing significant risks from cyber security threats”. Companies must also disclose their management’s ability to assess and manage significant risks from cyber attacks.

What are the consequences if businesses do not comply?

If an organization subject to the SEC’s jurisdiction does not comply with the new rules on cybersecurity disclosures, it can lead to several consequences, the SEC says.

“The SEC has the power to enforce compliance and can take action against organizations that do not comply with the regulations. Some potential consequences include financial penalties, legal liabilities, reputational damage, loss of investor confidence and regulatory scrutiny,” Safi Raza, senior director of cybersecurity at Fusion Risk Management, told TechCrunch. “The SEC is unwavering in its commitment to protect investors, making clear that enforcement measures will be implemented to ensure transparency and accountability.”

As demonstrated by the SEC’s recent action against SolarWinds and its chief information security officer (CISO), the regulator’s action could be even more far-reaching.

“In this case, the SEC is seeking civil monetary penalties, disbarment and permanent disqualification against the CISO from serving as an officer or director of a public company based on alleged material misstatements and failure to maintain proper disclosures and controls with respect to SolarWinds cyberattack,” Norberg said.

This controversial case shares similarities with the case against former Uber CSO Joe Sullivan, who in 2022 was found guilty of obstruction of justice and misdemeanor counts of misdemeanor failure to report in connection with a 2014 breach of Uber’s systems. .

In a recent interview with TechCrunch, Sullivan said he welcomes the SEC’s data breach reporting rules, saying, “We can pick apart the details as much as we want, but this is the right way to do it,” he said. “I seem to be the person who criticizes the SEC less than everyone else because I think they should be praised for trying to set rules.”

Was there pushback?

Not surprisingly, yes.

Some firms have expressed concern about the short four-day reporting window to determine whether or not an incident is material and then report it to the Securities and Exchange Commission. Until now, many organizations took months to report a breach and did so only after they had completed their investigation.

“The real challenge for companies is to stay up-to-date and on top of all the changing laws and requirements related to cybersecurity hygiene and breaches, and to put in place the appropriate controls, processes and procedures to reduce the risk of this constantly evolving landscape”. Norberg said.

Some organizations have also raised concerns about the SEC’s definition of “material events,” since the regulator has not provided a definition of materiality specifically for cybersecurity events. Instead, the SEC directs companies to apply the longstanding definition of materiality used in securities law, which says: “Information is material if there is a substantial likelihood that a reasonable shareholder would consider it relevant to making an investment decision, or whether it would have significantly changed the set of information available to investors.

Norberg added that there is also concern from businesses that the timing and scope of the information to be disclosed “could give hackers information about the steps the company took.”

In fact, they may have just gone into effect, but hackers have already abused the SEC’s new data breach rules. Earlier this year, the notorious Alphv/BlackCat ransomware group has filed an SEC complaint against one of its victims, MeridianLinkbecause the incident was not reported to the regulator.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and business information, has failed to file the required disclosure pursuant to Item 1.05 of Form 8-K within the prescribed four business days as defined by the new SEC Rules,” read a post on the gang’s dark web leak site.

Matthew Gracey-McMinn, head of threat research at cybersecurity firm Netacea, told TechCrunch that this tactic — adopted by attackers in an attempt to extort extra money from victims — could become a big problem in the future.

“We expect this to become a common practice of most cyberattacks in 2024 and may act as an additional charge alongside or even replace data encryption by ransomware,” Gracey-McMinn said.

breach cyber security data data breaches disclosure effect heres rules SECs security US Securities and Exchange Commission
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleLabrys Technologies collects seeds to serve humanitarian, military scenarios
Next Article Flipboard becomes a federated app with support for ActivityPub
bhanuprakash.cg
techtost.com
  • Website

Related Posts

Apple says ex-employee exploited ‘rare’ bug to download confidential files after leaving for OpenAI

13 July 2026

US cybersecurity agency CISA had to create the incident guide during the incident, the agency reveals

11 July 2026

Florida ransomware dealer convicted of helping ransomware gang extort US companies

10 July 2026
Add A Comment

Leave A Reply Cancel Reply

Don't Miss

12 states sue to block $110 billion Paramount deal from Warner Bros

14 July 2026

Apple says ex-employee exploited ‘rare’ bug to download confidential files after leaving for OpenAI

13 July 2026

SpaceX decided to fly Starship again after the booster failed in May

13 July 2026
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Fintech

Don’t want to invest in Elon Musk? Two new ETFs expressly exclude him

10 July 2026

India’s payments chief believes artificial intelligence will play a big part in the next era of digital payments development

28 June 2026

Early Bird pricing ends tonight for the Founder Summit

26 June 2026
Startups

AI chip maker SambaNova raises $1 billion at $11 billion valuation, 5 months after last mega round

Hot French startup ZML releases free product to speed up inference on multiple AI chips

Former OpenAI executive Kevin Weil is now on Stoke Space’s board

© 2026 TechTost. All Rights Reserved
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
  • Disclaimer

Type above and press Enter to search. Press Esc to cancel.