The new Securities and Exchange Commission Rule on Cybersecurity exposed the problem that many companies are not equipped to assess and disclose material risks from cybersecurity incidents in a timely, accurate and comparable way to their stakeholders.
The rule requires regulated companies to report a cyber loss event within four business days of determining that its impact would likely be material, and to report when past events cumulatively reach the level of materiality.
Beyond cyber incidents, the SEC wants companies to disclose their ongoing processes to manage material risks.