Public companies face new cybersecurity disclosure rules from SEC

The Securities and Exchange Commission (SEC) has adopted new rules requiring public companies to disclose material cybersecurity incidents within four business days. The rules also mandate annual disclosure of material information regarding cybersecurity risk management, strategy, and governance. This move is significant as it brings cybersecurity risks to the forefront of corporate governance and investor protection.

Why it matters

The new rule mandate that public companies disclose cybersecurity incidents within 4 days of the breach. This puts pressure on public companies to be more transparent with investors and take cybersecurity more seriously than in the past. The rule also includes third-party apps, seemingly in response to recent major breaches like the MOVEit breach, which included several US federal government agencies among those impacted. 

The big picture

The new rules are a response to the increasing digitization of operations and remote work, which has escalated the risk and cost of cybersecurity incidents. The rules aim to protect investors by ensuring transparency and consistency in disclosing cybersecurity risks and incidents.

What they're saying

SEC Chair Gary Gensler emphasized the importance of the new rules, stating, "Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors." He noted that the rules will help ensure that companies disclose material cybersecurity information in a "consistent, comparable, and decision-useful way" and that "today's rules will benefit investors, companies, and the markets connecting them."

Between the lines

The rules are not without controversy. Hester Peirce, one of the dissenting Republican commissioners, argued that the new requirements overstep the SEC's authority and could potentially benefit hackers by providing detailed information on how companies manage cybersecurity risks.

However, according to the new SEC rules, "The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety."

The ransomware threat

The new rules come at a time when the cost of dealing with cybersecurity breaches is on the rise. A recent report by IBM found that organizations now pay an average of $4.5 million to deal with breaches, a 15% increase over the past three years.

Related: Refusal to pay is the newest strategy to combat ransom attacks

What's next

The rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.

The bottom line

The new rules represent a significant step towards greater transparency and consistency in the disclosure of cybersecurity risks and incidents. They underscore the importance of cybersecurity risk management in corporate governance and investor protection.

Be smart

Public companies should prepare for the new disclosure requirements by reviewing their cybersecurity risk management strategies and ensuring they have processes to promptly identify and disclose material cybersecurity incidents. Investors should also pay close attention to these disclosures when making investment decisions.

Summary of the new SEC rules

• Registrants must disclose any cybersecurity incident determined to be material on the new Item 1.05 of Form 8-K. This includes describing the material aspects of the incident's nature, scope, and timing and its material impact on the registrant.
• The disclosure is generally due four business days after a registrant determines that a cybersecurity incident is material. 
• The disclosure may be delayed if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.
• The new rules add Regulation S-K Item 106, which requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats.
• Item 106 also requires registrants to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats.
• The rules also require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.