On Wednesday, the Securities and Exchange Commission voted 3-2 to finalize new disclosure rules on cybersecurity risks.
"Currently, many public companies provide cybersecurity disclosure to investors," observed Chair Gary Gensler in an agency press release. "I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."
While certain aspects of the proposed rules were pared back, the final rules will require public companies to disclose cybersecurity incidents in Form 8-K filings (Item 1.05) within four business days of determining materiality. While companies will not have to disclose technical details related to these incidents, they will have to describe "the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on [the company], including its financial condition and results," according to the SEC's fact sheet on the rulemaking. Although there is no required time frame to complete that materiality assessment, the Commission stated that companies must determine the materiality of an incident "without unreasonable delay" following discovery.
The rule does permit companies to delay disclosure if they obtain a written determination from the U.S. Attorney General that "immediate disclosure would pose a substantial risk to national security or public safety."
The rules also will requires companies to report annually (via new Item 106 in Regulation S-K) on their "processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect [the company]," according to the fact sheet on the rulemaking. "Item 106 will also require registrants to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats," the SEC said.
Companies with fiscal years that end on or after Dec. 15, 2023, will have to make their first 10-K disclosures on cybersecurity in early 2024. The new incident reporting requirements will apply to issuers (except smaller reporting companies) within 90 days after the date of publication of the final rules in the Federal Register or after Dec. 18, 2023, whichever is later. Smaller reporting companies must begin complying with the incident reporting mandate within 270 days from the effective date of the rules or June 15, 2024, whichever is later.
Commissioners Hester Peirce and Mark Uyeda voted against the rulemaking, citing concerns about the prescriptive nature of the rules, the risks posed by the incident reporting requirements, and the lack of sufficient time for companies to prepare for compliance.
The Society submitted comment letters in May 2022 and August 2022 that detailed members' various concerns about the proposed rules.
For more on this topic, please visit the Society's Cybersecurity page.