The SEC on July 26, 2023, voted 3 to 2 to adopt a March 2022 proposal that requires public companies to notify investors of material cybersecurity breaches in a more timely manner and increases the disclosure of their cybersecurity risk management. Under the new rules, companies will have to report within four days of determination that a cybersecurity incident was material on Form 8-K disclosures.
The rulemaking in part responds to complaints by investors that they sometimes find significant cyberattacks in the news first, among other reporting problems. Some companies have not disclosed significant breaches for months or years.
In response to concerns expressed in comment letters on the proposal, however, the SEC modified and streamlined the proposed requirements. For example, the rule’s new provision gives a reasonable delay in filing material cybersecurity breach on Form 8-K if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the commission of such determination in writing.
A staff member during the meeting said that in general companies that experience significant attack are already in touch with various authorities about the breach. So, this would not be something new that companies will have to suddenly discuss with law enforcement authorities.
SEC Commissioners Hester Peirce and Mark Uyeda, who voted against the rules, said they welcome some of the changes made to the proposal but said the revisions do not sufficiently address several concerns described in comment letters, including some disclosures that could potentially give a road map to bad actors for future attacks.
The final rule also requires companies to disclose material information on their cybersecurity risk management, strategy and governance.
The majority of the commission, however, believes that the rules’ benefits outweigh the costs.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”
In particular, when filing Form 8-K on a material cybersecurity incident, the information should describe the material aspects of the breach’s nature, scope, timing as well as its material impact on the company.
The rules also require companies to describe their processes for evaluating, identifying and managing material risks from cybersecurity threats. Companies must also disclose the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
In addition, the SEC is requiring companies to describe in their annual reports on Form 10-K the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in handling material risks from cybersecurity threats.
The rules come amid increasing frequency and severity of cyber breaches. Breaches rose 600% from 28 in 2011 to 188 in 2021, according to Commissioner Jaime Lizarraga. In 2022, he said 83% of organizations experienced more than one data breach, and the average cost of a data breach last year in the U.S. was $9.44 million. He said the total costs are staggering, with some estimates running as high as trillions of dollars each year in the U.S. alone.
However, the Bank Policy Institute (BPI) criticized the rule as it has the risk of harming investors and exacerbates security risks. BPI noted that companies must notify investors when cybersecurity is ongoing and could expose potential vulnerabilities at other companies or sectors.
“The SEC’s cyber disclosure rule risks harming the very investors it purports to protect by prematurely publicizing a company’s vulnerabilities,” Heather Hogsett, senior vice president, technology and risk strategy for BITS — the technology policy division of BPI, said in a statement. “No reasonable investor would want premature disclosure of a cyber event to malicious actors or a hostile nation-state, which could exacerbate security risks and creates a recipe for disaster the next time a major cyber incident occurs.”
Dave Brown, a partner with Alston & Bird LLP in Washington. agreed.
“Public companies will certainly be disappointed with these final rule amendments. Although the SEC acknowledged a need for balance between investor information and a company’s cybersecurity posture, the final rules do not provide much balance at all,” he said. “The requirement to disclose an incident that is ongoing, even if it will tip off threat actors, could end up harming the very investors the SEC is trying to protect.”
Like it or not, companies must get ready
But since the rules were adopted, experts said that companies must get ready to implement them.
“Cybersecurity incident disclosures will be more prominent and expansive,” said Timothy Brown, an audit partner in the Department of Professional Practice at KPMG LLP.
“An organization’s ability to comply with these new regulations is critical to maintaining transparency and stakeholder trust in today’s volatile world,” said Kyle Kappel, KPMG US practice leaders for Cybersecurity Services.
Steve Soter, a vice president at Workiva, said that the new SEC rule does ease off some requirements from the proposal. “But it significantly raises the stakes for how companies assess the materiality of non-financial information—including cybersecurity threats —which was already being scrutinized under existing SEC rules to disclose material human capital and the impact of climate,” he said.
He also pointed out that the rule does not specify an exact timeframe to determine whether a cybersecurity incident is material but has to be “without unreasonable delay.”
Thus, “a potential implication is the SEC scrutinizing the timing of when an incident occurred and when it was ultimately disclosed,” Soter explained. “That will make the timing and documentation of how companies assess materiality incredibly important. SEC registrants will need to closely coordinate such analyses with their financial reporting, legal, IT and risk teams.”
Alston & Bird’s Brown also said that the rules will be difficult to put into practice, imposing additional burdens on public companies, including determining what is “without unreasonable delay” in a materiality analysis during an ongoing cyber incident.
“It will also be interesting to see how many public companies rely on the instruction that disclosure is not required for specific information that would impede response or remediation and if this results in a significant number of Form 8-K amendments,” Brown said. “The amendment requirement also essentially transforms the Form 8-K to the cybersecurity incident disclosure form but will still need to give repetitive disclosure for loss contingencies in footnotes to the financial statements under the accounting literature.”
Further, Workiva’s Soter said that there are other implications, especially on technology front.
“It’s notable that companies will have to disclose significant hacks involving not only technology they own but also systems they use, including those of third-party vendors, which companies will want to consider carefully in their procurement processes,” he said.
The rules are in Release No. 33-11216, Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure.
The release becomes effective 30 days after publication in the Federal Register.
The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy and governance. Compliance dates are mid-December. Smaller reporting companies have an additional 180 days to start complying for Form 8-K disclosure.
All companies must tag disclosures required in the final rules using Inline eXtensible Business Reporting Language (XBRL) beginning one year after initial compliance.
