The Securities and Exchange Commission (SEC) has implemented a new rule that obliges companies to disclose any significant cybersecurity incidents they experience, as well as provide annual information on their cybersecurity risk management, strategy, and governance. This rule, as stated in the SEC’s press release, aims to establish a more consistent and comparable disclosure framework for cybersecurity information, benefiting both investors and companies.
SEC Chair Gary Gensler emphasized the importance of such disclosure, stating that whether it is a fire destroying a company’s factory or a cybersecurity breach compromising millions of files, these incidents can have material impacts on investors. Currently, many public companies do provide some level of cybersecurity disclosure, but Gensler believes that it should be more standardized, enabling investors to make more informed decisions. By implementing this rule, the SEC aims to ensure that companies disclose material cybersecurity information in a manner that is useful for investors while also benefiting the overall market.
The rule reflects the SEC’s concerns regarding under-disclosure of cybersecurity incidents, despite their prior guidance on the matter. It is now deemed necessary to provide investors with more timely and consistent cybersecurity disclosure so that they can make informed investment decisions. Furthermore, recent legislative and regulatory developments, such as CIRCIA and the Quantum Computing Cybersecurity Preparedness Act, prompted the need for more comprehensive disclosure, as they were insufficient to meet the cybersecurity disclosure requirements for public companies.
Under the new rule, companies must file a Form 8-K within four business days of determining that a cybersecurity incident is material. However, similar to the General Data Protection Regulation and US state data breach disclosure rules, the SEC does not specify the specific criteria that should be used by companies when determining whether an incident is material or when the clock starts ticking for disclosure.
In terms of defining what constitutes a material incident, the SEC is adopting a slightly different approach compared to other matters. Traditionally, materiality has been determined based on the significance of an event in potentially affecting stock prices. For example, a $20 million acquisition might be material for a smaller company but not for a much larger one. However, the July 26 cybersecurity rule takes a somewhat more assertive stance, stating that information is material if it is something investors would deem important to know.
According to the SEC, information is material if there is a substantial likelihood that a reasonable shareholder would consider it crucial in their investment decision-making process, or if it would significantly alter the overall information available to investors. This approach is intended to prioritize the protection of investors by favoring disclosure when there are doubts regarding the critical nature of the relevant information.
Nevertheless, the SEC does exclude certain specific details from the disclosure requirement. Companies are not expected to provide intricate technical information about their planned response to the incident, their cybersecurity systems, related networks and devices, or potential system vulnerabilities. Releasing such detailed information could impede a company’s ability to respond to or remediate the incident effectively.
In conclusion, the SEC’s adoption of this rule marks a significant step toward enhancing cybersecurity disclosure in public companies. By providing clearer guidelines and requirements for companies to disclose material cybersecurity incidents, the SEC aims to ensure that investors have access to timely and consistent information when making investment decisions. This rule is part of an ongoing effort to create a more transparent and secure marketplace that benefits both investors and companies alike.