After noting the increasing number of cyberattacks on U.S. networks, the SEC is asking company leadership for quick cyber incident disclosures and more documentation.
The Securities and Exchange Commission will adopt new rules for the disclosure of cybersecurity incidents for registrant companies, which would include annual reports on their risk management tactics. Companies will also have a four-day mandated reporting window following a relevant cyber incident.
Announced on Wednesday, the SEC rule will now require publicly traded companies to disclose cybersecurity incidents against their networks that are considered “material” and to document the nature of the potential attack on Form 8-K, which is used to inform shareholders of “major events” at a company. The rule also states that the SEC will ask for “periodic disclosures” on a company’s cybersecurity defense posture.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”
The rule broadly defines an incident as “material” if “there is a substantial likelihood that a reasonable shareholder would consider it important,” based on case examples in securities law.
A short, mandatory four-day filing and disclosure period is intended to help investors assess possible damage or fallout from the incident and make informed financial decisions.
Along with the reporting change to the 8-K form, the SEC will also add Regulation S-K Item 106, which will require companies to document in detail their internal process for cyber threat mitigation. It also asks for information on the oversight capabilities companies’ boards of directors have over cyber risks and how management assesses material threats.
Notably, a disclosure may be delayed if the U.S. attorney general determines immediate disclosure “would pose a substantial risk to national security or public safety.”
This caveat responds to public comments the SEC received during the rulemaking period, which listed, among other things, the fear that preemptively disclosing a cyberattack that was still ongoing could further enable malicious actors.
Other comments veered in the direction of requesting the SEC ask for more information — such as loss of intellectual property or digital assets — during a material cyberattack.
The SEC’s ruling follows years of escalating cyberattacks against critical digital networks globally. Initially proposed in March 2022, the SEC focused on implementing new cybersecurity regulations for public companies with the mass onset of digitized services and remote work, along with the facilitation of monetizing attacks with the use of digital currencies.
“The proposal was intended to result in consistent, comparable and decision-useful disclosures that would allow investors to evaluate registrants’ exposure to material cybersecurity risks and incidents as well as registrants’ ability to manage and mitigate those risks,” the fact sheet said.
The commission is also planning to discuss other rule reforms, including proposals requiring online investment advisers to meet certain standards and asking firms to reconcile their use of predictive data and conflicts of interest.