iStock illustration

The Securities and Exchange Commission adopted rules Wednesday to require public companies to disclose within four days all cybersecurity breaches that could affect their bottom lines. Delays will be permitted if immediate disclosure poses serious national security or public safety risks.

The new rules, passed by a 3-2 vote along party lines, also require publicly traded companies to annually disclose information on their cybersecurity risk management and executive expertise in the field. The idea is to protect investors.

Breach disclosures can be delayed if the U.S. Attorney General determines they would “pose a substantial risk to national security or public safety” and notifies the SEC in writing. Only under extraordinary circumstances could that delay be extended beyond 60 days.

“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors,” SEC Chair Gary Gensler said in a statement, noting the current inconsistency in disclosures.