SEC To Require Disclosure Of ‘Material’ Cyberattacks Within 4 Business Days
The new rule affecting publicly traded companies was adopted in a split decision Wednesday, and followed more than a year of debate over the measure.
After a lengthy period of consideration, the U.S. Securities and Exchange Commission voted Wednesday to adopt a new rule requiring publicly traded companies to disclose major cybersecurity incidents within four business days.
The clock starts ticking once an impacted company has made a determination that a cybersecurity incident is “material” for its shareholders, the SEC said.
The rule was adopted in a 3-2 vote, with two Republican SEC commissioners dissenting. Cyber incident disclosure rules were first proposed by the SEC in March 2022.
In a news release, SEC Chair Gary Gensler said the rule would help to ensure that when an incident is “material to investors” that it is publicly disclosed in a “more consistent, comparable, and decision-useful way.”
There could be exceptions to the required disclosure window of four business days, however. The disclosure “may be delayed” if the U.S. attorney general decides that disclosing an incident in that timeframe would “pose a substantial risk to national security or public safety.”
The inclusion of that exception could be critical, given the fact that numerous executives and industry groups have suggested that publicly disclosing certain incidents in a short timeframe could carry massive security risks. Attackers, for instance, might be the biggest beneficiaries if vulnerability details were publicly disclosed before a fix was available, multiple tech industry groups said in comments on the SEC’s proposed rules.
In a dissenting comment, SEC Commissioners Hester Peirce wrote that while the adopted rule is “better than the [original] proposal,” the disclosure requirement still appears “designed to better meet the needs of would-be hackers rather than investors’ need for financially material information.”
Supporters of the new rule include Amit Yoran, CEO of well-known cybersecurity vendor Tenable, who applauded the SEC’s moves in written comments provided to CRN.
“This is a dramatic step toward greater transparency and accountability and will greatly improve our cybersecurity preparedness as a nation,” Yoran said in the comments Wednesday. The incident disclosure requirement, he said, will help more companies to adopt “good cyber hygiene” — essentially regulating “what companies should have been implementing in the first place.”
The final rule will take effect 30 days after it is published in the Federal Register, the SEC said.
The rule will require public companies to disclose “any cybersecurity incident they determine to be material” via a new item — Item 1.05 — in a Form 8-K filing. The disclosure must include a description of the “material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant,” the SEC said in its news release.
The SEC also adopted a rule Wednesday that will require publicly traded companies to annually disclose “material information regarding their cybersecurity risk management, strategy, and governance.”
That disclosure, which will be required in a public company’s annual Form 10-K filing, must include a description of a company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.” The new item — Item 106 — will “also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats,” the SEC said.
“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them,” Gensler said in the SEC news release.