The Securities and Exchange Commission (SEC) has adopted new rules requiring public companies to disclose material cybersecurity incidents within four business days. The rules also mandate annual disclosure of material information regarding cybersecurity risk management, strategy, and governance. This move is significant as it brings cybersecurity risks to the forefront of corporate governance and investor protection.
The new rule mandate that public companies disclose cybersecurity incidents within 4 days of the breach. This puts pressure on public companies to be more transparent with investors and take cybersecurity more seriously than in the past. The rule also includes third-party apps, seemingly in response to recent major breaches like the MOVEit breach, which included several US federal government agencies among those impacted.
The new rules are a response to the increasing digitization of operations and remote work, which has escalated the risk and cost of cybersecurity incidents. The rules aim to protect investors by ensuring transparency and consistency in disclosing cybersecurity risks and incidents.
SEC Chair Gary Gensler emphasized the importance of the new rules, stating, "Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors." He noted that the rules will help ensure that companies disclose material cybersecurity information in a "consistent, comparable, and decision-useful way" and that "today's rules will benefit investors, companies, and the markets connecting them."
The rules are not without controversy. Hester Peirce, one of the dissenting Republican commissioners, argued that the new requirements overstep the SEC's authority and could potentially benefit hackers by providing detailed information on how companies manage cybersecurity risks.
However, according to the new SEC rules, "The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety."
The new rules come at a time when the cost of dealing with cybersecurity breaches is on the rise. A recent report by IBM found that organizations now pay an average of $4.5 million to deal with breaches, a 15% increase over the past three years.
Related: Refusal to pay is the newest strategy to combat ransom attacks
The rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
The new rules represent a significant step towards greater transparency and consistency in the disclosure of cybersecurity risks and incidents. They underscore the importance of cybersecurity risk management in corporate governance and investor protection.
Public companies should prepare for the new disclosure requirements by reviewing their cybersecurity risk management strategies and ensuring they have processes to promptly identify and disclose material cybersecurity incidents. Investors should also pay close attention to these disclosures when making investment decisions.