This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties.  Members and Law enforcement use only. Contact us for any permissions.  To do otherwise will result in the loss of membership.

Complete Story


SEC Cyber Rules Loom Over Public Companies

All Members

Security chiefs and corporate lawyers are wrestling with how much information to report about cyberattacks under new disclosure rules, worried that saying too much might invite lawsuits and more hacks. 

Starting Friday, the Securities and Exchange Commission will oblige companies to disclose how they manage cyber risk in annual reports, known as 10-Ks. Companies will be expected to detail how they assess threats and protections, and to what degree their boards exercise oversight on cyber issues. Annual filings must also describe the potential material effects of a successful attack.

When hackers strike, companies must report the cyberattack to the SEC no later than four business days after they determine the incident will have a material impact on operations, using an 8-K form. That obligation comes into force on Monday.

Companies have complained about the four-day reporting window and the difficulty of determining what constitutes materiality, but some security chiefs say that larger companies should already be doing most of what is required in the rules, at least for annual reporting. 


Printer-Friendly Version



The FRPA alert system distinguishes us from other groups by gathering and providing information to law enforcement, retailers AND financial institutions.

more information


Your electronic library to help in fighting financial fraud for all of our partners.

more information