SEC adopts sweeping cybersecurity rules, requiring timely reporting of significant breaches

The SEC on July 26, 2023, voted 3 to 2 to adopt a March 2022 proposal that requires public companies to notify investors of material cybersecurity breaches in a more timely manner and increases the disclosure of their cybersecurity risk management. Under the new rules, companies will have to report within four days of determination that a cybersecurity incident was material on Form 8-K disclosures.

The rulemaking in part responds to complaints by investors that they sometimes find significant cyberattacks in the news first, among other reporting problems. Some companies have not disclosed significant breaches for months or years.

In response to concerns expressed in comment letters on the proposal, however, the SEC modified and streamlined the proposed requirements. For example, the rule’s new provision gives a reasonable delay in filing material cybersecurity breach on Form 8-K if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the commission of such determination in writing.

A staff member during the meeting said that in general companies that experience significant attack are already in touch with various authorities about the breach. So, this would not be something new that companies will have to suddenly discuss with law enforcement authorities.

SEC Commissioners Hester Peirce and Mark Uyeda, who voted against the rules, said they welcome some of the changes made to the proposal but said the revisions do not sufficiently address several concerns described in comment letters, including some disclosures that could potentially give a road map to bad actors for future attacks.

The final rule also requires companies to disclose material information on their cybersecurity risk management, strategy and governance.

The majority of the commission, however, believes that the rules’ benefits outweigh the costs.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”

In particular, when filing Form 8-K on a material cybersecurity incident, the information should describe the material aspects of the breach’s nature, scope, timing as well as its material impact on the company.