New SEC Rules Require Public Companies to Disclose Cybersecurity Incidents
Cybersecurity threats can have a devastating impact on businesses. According to a report from Bitglass, publicly traded companies that suffered a security breach lost 7.5% of their stock value and $742 million market cap on average. It took 46 days for the average company’s stock prices to recover.
Cybersecurity incidents impact stock values in several ways. They typically cause operational disruptions that affect production and lower revenue. There are also direct expenses, such as the cost to recover systems and data, regulatory fines, and lawsuits. Perhaps most significantly, cybersecurity incidents erode customer trust and cause reputational damage.
These kinds of statistics get the attention of regulators. On July 26, 2023, the U.S. Securities Exchange Commission (SEC) adopted new rules requiring public companies to disclose material cybersecurity incidents to investors. Companies must also include information on cybersecurity strategies, risk management, and governance in their annual reports. The rules are designed to provide investors with the timely and consistent information needed to make more informed investment decisions.
Why the Rules Are Needed
Federal securities laws have long required that public companies disclose information on events and risks that investors consider relevant to investment decisions. However, there were no specific requirements for the reporting of cybersecurity incidents. In 2018, the SEC issued guidance on such disclosures, but incidents have not been consistently reported. The new rules close that gap.
The rules are also consistent with other federal regulatory requirements. For example, the Cyber Incident Reporting for the Critical Infrastructure Act (CIRCIA) of 2022 requires organizations in 16 critical infrastructure sectors to report security incidents within 72 hours. The Department of Defense, General Services Administration, and National Aeronautics and Space Administration have proposed amendments to the Federal Acquisition Regulation requiring federal contractors to report cybersecurity incidents.
What Is a Cybersecurity Incident?
The first step toward complying with the rules is to understand what types of incidents must be disclosed. The SEC rules define a cybersecurity incident broadly as any “unauthorized occurrence … that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.” This would include incidents that affect the company’s operations even if no sensitive data is compromised.
A material incident is one “to which there is a substantial likelihood that a reasonable investor would attach importance.” To make the determination, companies must evaluate all relevant facts based on qualitative factors such as reputational harm as well as financial impact. If materiality isn’t immediately clear, companies should continue the analysis as the investigation uncovers additional facts.
Disclosure of Cybersecurity Incidents
Public companies must provide information about material cybersecurity incidents on Form 8-K — the “current report” that must be filed with the SEC to advise shareholders of major events impacting the company. (Foreign private issuers use Form 6-K.) An incident must be reported within four business days after the company determines it is material. The determination must be made “as soon as reasonably practicable after discovery of the incident.”
The report must include:
A brief description of the incident, including its scope
The date the incident was discovered
Whether the incident has been remediated
Whether any data was accessed, altered, stolen, or otherwise used
The incident’s impact on the company’s operations
If additional information comes to light after submission of Form 8-K, the company must provide updates in their Form 10-Q quarterly reports or Form 10-K annual reports. Additionally, companies must report incidents that “become material in the aggregate.”
Reporting of Cybersecurity Risk Management and Governance
Companies must also disclose their risk management policies in their annual reports. This includes:
Internal policies and procedures, including a description of any cybersecurity risk assessment program. In particular, companies must describe policies and procedures for preventing, detecting, and mitigating cybersecurity incidents.
Management’s expertise in implementing policies. Specifically, companies must explain which persons are responsible for managing cybersecurity risks and how they are informed about cybersecurity strategies.
The role of the board of directors in cybersecurity risk management. This includes the frequency with which board members discuss cybersecurity, how they’re informed of risks, and how they manage risk within the framework of business strategy.
The report should also discuss how cybersecurity risks have affected or will likely affect the company’s operations, and what recovery and business continuity plans the company has in place.
When the SEC proposed the new rules, public companies argued that four days was inadequate time to gather the information needed for disclosure. They also argued that disclosing incidents publicly before they are fully remediated could give threat actors information that allowed them to expand the attack.
In addition, companies complained that they would have duplicate reporting requirements, particularly if they were in critical infrastructure or defense sectors. However, the greatest concern involved the breadth of SEC regulation — the cybersecurity incident reporting requirements are only a small component of more than 50 proposed rules.
Despite these arguments, the final rules became effective on September 5, 2023. Public companies, except smaller reporting companies (SRCs), were required to begin disclosing cybersecurity incidents as of December 18, 2023. SRCs have until June 15, 2024, to comply. All public companies must begin reporting their risk management and governance policies in their annual reports for fiscal years ending on or after December 15, 2023.
Learn More About New Developments in Law
Stay up to date on the most current legal developments in California and the rest of the nation with Purdue Global Law School.
Purdue Global Law School offers an online Juris Doctor if you wish to become an attorney licensed in California. If you wish to advance your legal education but do not intend to become a practicing attorney, you may consider an online Executive Juris Doctor.