Cybersecurity In-Depth

Quick Hits

SEC Adopts New Rule on Cybersecurity Incident Disclosure Requirements

Boards must now file notice of a "material incident" within four business days, though questions remain.

The Securities and Exchange Commission (SEC) has adopted a rule "requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance," according to an SEC statement released today.

"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," said SEC chair Gary Gensler. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."

The rule itself noted that "under-disclosure regarding cybersecurity persists despite the Commission's prior guidance; investors need more timely and consistent cybersecurity disclosure to make informed investment decisions; and recent legislative and regulatory developments elsewhere in the Federal government, including those developments subsequent to the issuance of the Proposing Release such as CIRCIA and the Quantum Computing Cybersecurity Preparedness Act, while serving related purposes, will not effectuate the level of public cybersecurity disclosure needed by investors in public companies."

The new rule requires a Form 8-K to be filed within "four business days of determining an incident was material." However, the SEC, similar to the General Data Protection Regulation and US state data breach disclosure rules, does not specify the criteria enterprises should apply when deciding whether an incident is material or when the disclosure clock starts ticking.

As to what makes an incident material, the SEC is defining it slightly differently than it has on other matters. Traditionally, material meant anything that is significant enough to likely move the stock price — so a $20 million acquisition might be material for a smaller company but not for a much larger one. In the July 26 cybersecurity rule, the SEC took a slightly more aggressive stance, noting that information is material if it is something the investor would want to know.

"Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the 'total mix' of information made available," the SEC stated. "Doubts as to the critical nature of the relevant information should be resolved in favor of those the statute is designed to protect, namely investors."

The SEC also excluded some specific details.

"This requirement would not extend to specific, technical information about the registrant's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."