The US Securities and Exchange Commission (SEC) has voted on a new set of rules that will require publicly traded companies and foreign private investors to promptly disclose any cybersecurity incidents they experience. Under the new rules, registrants will be required to disclose these incidents within four business days after determining that they are material. Additionally, ransomware payments must be reported within 24 hours. Registrants will also have to disclose material information about their cybersecurity risk management, strategy, and governance on an annual basis.
SEC Chair Gary Gensler acknowledges that many public companies already provide cybersecurity disclosure to investors. However, he points out that the current rules have not resulted in consistent and useful disclosure. Gensler believes that both companies and investors would benefit from more consistent and comparable disclosure, stating, “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
SEC Commissioner Jaime Lizarraga believes that the new reporting rule regarding risk management, strategy, and governance will improve the quality, consistency, and timeliness of cybersecurity-related disclosures. Currently, the SEC has no disclosure requirements that explicitly refer to cybersecurity risks, governance, or incident reporting. Lizarraga states that by clarifying what needs to be disclosed, the rule will provide investors with more certainty and ease of comparison, reducing the risk of adverse selection and potential mispricing of companies.
The investor community and cybersecurity vendors have reacted positively to the new rules. Lesley Ritter, senior vice president for Moody’s Investors Service, believes that the rules will provide more transparency and consistency in disclosing cybersecurity risks. She states that the rules are credit positive for public companies subject to SEC reporting requirements, as the disclosures will help compare how companies are addressing these challenges, particularly those with elevated cyber risk.
The SEC’s new rules, which will be published in the Federal Register in the coming days, include several key highlights. One of the main requirements is the disclosure of cybersecurity incidents within four days on the new Item 1.05 of Form 8-K. Registrants must also provide a description of the nature, scope, and timing of the incident, as well as its material impact or reasonably likely material impact on the registrant.
By implementing these new rules, the SEC aims to enhance transparency and consistency in cybersecurity incident reporting. The rules will provide investors with more information to assess the potential risks associated with investing in public companies. Additionally, the rules will create a more level playing field for companies, enabling better comparison and analysis of their cybersecurity risk management strategies and governance practices.
It is important to note that these rules have been revised from the initial proposals floated in March to address concerns raised during the public comment period. The SEC has taken into account feedback from various stakeholders to ensure that the final rules strike the right balance between disclosure and practicality.
Overall, the SEC’s new rules on cybersecurity incident reporting and disclosure are expected to bring greater transparency, consistency, and predictability to the market. With the increasing threat of cyberattacks, these rules will help investors make more informed decisions and encourage companies to prioritize cybersecurity risk management. By promoting better disclosure practices, the SEC aims to safeguard the interests of both investors and companies in today’s digital era.