The Securities and Exchange Commission (SEC) on Wednesday finalized its controversial rule requiring public companies to disclose the nature, scope, timing, and impact of cybersecurity incidents deemed to be material within four business days.
The rule, proposed in March 2022, has received significant attention in the past year for the relatively short timeline it provides businesses to grasp the extent of a cybersecurity incident such as a data breach. Also short will be its compliance date, as large companies as soon as December could be required to begin making the new disclosures.
Smaller reporting companies will receive an additional 180 days to comply.
“Currently, many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler in a press release. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The materiality aspect will be key to the rule, as the disclosure clock starts once the business determines the incident to be material. This determination must be made “without unreasonable delay,” the SEC stated in a fact sheet, and the disclosure will be made in a new Form 8-K item.
Disclosure delays may be granted in cases where the U.S. attorney general determines there are national safety risks, the SEC noted.
Also new will be a Regulation S-K item that will require registrants to describe their processes for identifying and managing material risks from cybersecurity threats and the role of their board of directors and management in overseeing how cyber risks are addressed.
In a dissenting statement, SEC Commissioner Hester Peirce said the rule “looks like a compliance checklist for handling cyber risk—a checklist the SEC is not qualified to write.”
The rule’s disclosure requirements “may serve to drive companies to spend resources on compliance with our rules and conformity with other companies’ disclosed practices, instead of on combatting cyber threats as they see fit,” she said. “Once the SEC can peer into how all public companies handle cybersecurity, the temptation to micromanage their operations will only grow.”
Peirce also acknowledged concerns the disclosures could serve to benefit cybercriminals—a popular point made by commenters worried about providing information on their company’s grasp of an ongoing incident. The agency’s Democratic commissioners, including Jaime Lizárraga, pointed to the focus on materiality as stemming this concern.
The final rule will become effective 30 days after publication in the Federal Register. Disclosures in Form 8-K, as well as Form 6-K for foreign private issuers, will be due beginning 90 days after publication in the Federal Register or Dec. 18, 2023, whichever is later. Regulation S-K disclosures will be due beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
The SEC proposed a pair of other rules Wednesday, including requirements that broker-dealers and investment advisers evaluate and determine whether use of data analytics technologies in investor interactions involve a conflict of interest and a rule that seeks to modernize the way internet-based advisers register with the commission.
Each proposal will be subject to a 60-day comment period following publication in the Federal Register.