(BFM Bourse) – The American stock market policeman has introduced new rules for listed companies. They will have to make public the critical IT security incidents of which they have been victims, within four days of the event.
Last year in the middle of the Assumption holiday, the servers of the Damart site were targeted by a computer attack. On the Paris Stock Exchange, the action of its parent company Damartex then plunged 15% after The Parisian revealed the attack within 10 days of the incident. Even of relatively modest size, listed companies are not spared from computer attacks.
In the United States, the threat is taken very seriously. The Securities and Exchange Commission (SEC) has just introduced new rules requiring listed companies to accurately report computer security incidents they have suffered. And the deadline will be short: they will have to be executed within four days after the discovery of the incident. These new rules will apply from December.
“Whether a company sees its factory destroyed in a fire or loses millions of files in a cybersecurity incident, that can be important to investors,” said SEC Chairman Gary Gensler.
The American stock market policeman urges listed companies to report the slightest cybersecurity incident of which they have been the target “and to publish essential information each year concerning their management, their strategy and their governance in terms of risks related to cybersecurity”.
Companies will also be required to describe “their processes, if any, for assessing, identifying, and managing significant risks related to cybersecurity threats, as well as significant or probable risks related to cybersecurity threats and past cybersecurity incidents.”
Extra protection
By applying these new rules, the American financial policeman wants to provide additional protection to investors. “By helping to ensure that companies publish important cybersecurity information, the rules adopted […] will benefit investors, companies and the markets”, justified the boss of the SEC.
Disclosure of such information may, however, be delayed if the United States Attorney General determines that immediate disclosure of this attack would present a substantial risk to national security or public safety and notifies the SEC in writing of such determination.
But these new rules do not find a favorable echo, reports the media CNBC. The four-day deadline imposed by the SEC is considered “unreasonable”. Businesses fear that this short window could be exploited by cybercriminals when they are already on deck to repel the initial attack.
Sabrina Sadgui – ©2023 BFM Bourse