Quartz: “The US Securities and Exchange Commission (SEC) wants public companies to be more transparent and forthcoming about “material cybersecurity incidents,” the federal agency said yesterday (July 26).  Its new rules, passed by a 3-2 vote, dictate companies must disclose details of incidents and their effect on the bottomline in a section of the Form 8-K, a broad form companies use to notify shareholders of major events, within four days of a cybersecurity event. A delay in filing will only be allowed if the US Attorney General determines that “immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing,” the SEC said. Final rules, which will be signed into the Federal Register later this year, will apply to big companies within 30 days. Smaller companies will be given a more generous deadline—180 days—to comply.”

• SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
• Final Rule
• Fact Sheet