SEC Votes to Require Material Incident Disclosure in 4 DaysRules Approved in 3-2 Party Line Vote, Will Take Effect in December for Large Firms
U.S. federal market regulators adopted rules Wednesday that require publicly traded companies to disclose most "material cybersecurity incidents" within four business days of determining materiality.
The rules were approved on a party line vote after 70 minutes of discussion and debate. The three Democratic commissioners voted in favor, and the two Republican commissioners opposed. The new incident disclosure rule from the U.S. Securities and Exchange Commission will take effect in mid-December for larger businesses and in mid-June for smaller publicly traded companies (see: SEC Delays Final Rules on Breach Disclosure, Board Expertise).
"Markets depend on this basic bargain that investors get to decide which risks to take so long as companies raising money from the public make full, fair and truthful disclosure to us," said SEC Chair Gary Gensler.
Another SEC rule adopted Wednesday will require public companies to disclose management's role and expertise in assessing and managing cybersecurity risk as well as its process for assessing, identifying and managing risk. Companies must disclose the information in annual reports for fiscal years ending on or after Dec. 15. The proposed rules sought disclosure of board cyber expertise, but the final rules dropped that requirement (see: SEC Eyes Final Rules on Incident Disclosure, Board Expertise).
"Current disclosure practices with respect to material cybersecurity risks and incidents remain varied in ways that can frustrate comparability for investors," said Erik Gerding, director of the SEC's Division of Corporation Finance. "For example, we have observed that companies provide different levels of specificity regarding the cause, scope, impact and materiality of cybersecurity incidents."
SEC staff made several changes to the proposed rules in response to public comments, including adding a national security and public safety delay to the incident disclosure requirement, said Nabeel Cheema, special counsel to the SEC's Division of Corporation Finance. He also said the disclosure rules now focus on the material impact of a cybersecurity incident rather than the specific technical details.
What Does the New Incident Disclosure Rule Require?
Most of today's commissioner debate centered on the incident disclosure rule, which besides forcing public companies to disclose material cybersecurity incidents, directs them to also reveal the nature, scope and timing of the incident. Companies must determine the materiality of an incident without unreasonable delay and disclose material incidents within four days of that determination.
Disclosure may be delayed for up to 60 days if the U.S. attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety. If the attorney general indicates that further delay is necessary, the commission will in extraordinary circumstances consider requests for an additional 60-day delay (see: SEC Breach Disclosure Rule Makes CISOs Assess Damage Sooner).
"A cybersecurity incident can significantly impact a company's financial operations," SEC Chief Economist Jessica Wachter told commissioners Wednesday. "The lack of disclosure of this information can thus harm investors, leading them to misallocate wealth or make different decisions than otherwise. In the case of cybersecurity, a company may disclose too little too late."
The negative effects of market ignorance about cybersecurity incidents reaches beyond individual investors, she also said. "Nondisclosure can lower liquidity in the market, reducing market efficiency overall. Thus, disclosure can lead to more efficient prices, promoting capital formation and public trust in markets."
Why Did the Democratic Commissioners Favor the Rules?
Gensler, a Democrat, said the new cybersecurity disclosure rules will allow investors to more effectively assess risk and make more informed decisions about where to put their money. He said the SEC requires public entities to tell investors about material physical security incidents such as a factory lost in a fire, but it hasn't had similar rules around cyberspace disruption.
"Currently, many public companies provide cybersecurity disclosure to investors," Gensler told fellow commissioners Wednesday. "I think companies and investors alike, however, would benefit if this disclosure was made in a more consistent, comparable and decision-useful way."
Commissioner Jaime Lizárraga, a Democrat, said the rule will allow consumers to make more informed decisions about which companies to trust with their sensitive personal information. By focusing the disclosure on material impact, Lizárraga said, investors will be privy to essential information around intellectual property loss, business interruption, reduced cost of capital or reputational damage.
"More timely reporting of cyber incidents serves as an alert to companies in the same sector that malign hackers are launching cyberattacks," Lizárraga told fellow commissioners.
Commissioner Caroline Crenshaw, a Democrat, said the 2021 Colonial Pipeline intrusion demonstrated that cyberattacks can alter the normal course of operations for even complex capital and infrastructure-intensive businesses. She said she wants the SEC to consider more disclosure around cyber expertise on company boards.
Why Did the Republican Commissioners Oppose the Rules?
Commissioner Hester Peirce, a Republican, said mandatory incident disclosure could give cybercriminals a road map of which companies to attack and how to attack them. Publicly revealing when the company finds out about an attack, what the company knows about it and what the financial fallout is likely to be will help threat actors maximize ransom payments and figure out when to strike again, she said.
"Even as the new disclosures tip off informed cybercriminals, they might mislead otherwise uninformed investors without firsthand knowledge of cyberattacks," Peirce told fellow commissioners. "The fast timeline for disclosing cyber incidents could lead to disclosures that are tentative and unclear, resulting in false positives mispricing the stock in the market."
Commissioner Mark Uyeda, a Republican, said premature public disclosure of a cybersecurity incident at one company could reveal vulnerabilities at other public companies, especially if it involves a commonly used technology provider, resulting in potential widespread market panic and financial confusion. Early information is often incomplete and not correct, he said, and speculation could destabilize the market.
"I question the notion that a reasonable investor would be unwilling to sacrifice receiving information that may jeopardize national security and public safety," Uyeda told fellow commissioners. "Most investors do not hold the stock of a single company, but rather they hold a portfolio of securities. Investors today care far more about their overall portfolio than individual companies."