Publicly traded medical device manufacturers such as Medtronic, Johnson & Johnson, Abbott and Stryker will need to publicly disclose significant cyberattacks under new rules approved by the Securities and Exchange Commission.
The SEC rules require all publicly traded companies — not just device makers — in the U.S. to release details of a cyberattack within four days of determining that it has a material impact. That determination comes down to whether “there is a substantial likelihood that a reasonable person would consider it important,” the SEC has said.
Related: The Medtech Big 100 ranks the world’s largest medical device companies
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Publicly traded companies that don’t comply would face fines and investigations. Companies would be able to delay disclosure under a law enforcement exception where the U.S. attorney general determines the information’s release creates a significant national security or public safety risk.
The new rules have implications for how companies work with suppliers and vendors, former cyber crimes prosecutor Erez Liebermann told Bloomberg.
“Third-party risk management programs will have to be beefed up to ensure that you know about incidents quickly,” he said in an interview.
More information about the new rules — including the exact language and a fact sheet — are available at the SEC’s website.
Device cybersecurity
Earlier this year, the FDA launched new cybersecurity requirements for developers and manufacturers of cyber devices. Cyber devices are defined as any device that “includes software validated, installed, or authorized by the sponsor as a device or in a device; has the ability to connect to the internet; and contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”
Under those new rules, cybersecurity plans must be included in applications or submissions for regulatory review of cyber devices.
But these FDA requirements are separate from the new SEC rules for cyberattacks, which more broadly cover any cyberattack on or involving a publicly traded company if determined to have a material impact.