Public companies would have to report material cybersecurity incidents no later than four business days after they occur if a rule proposed by the Securities and Exchange Commission (SEC) on Wednesday takes effect.
The proposed rule would require companies to disclose information about whether any data was stolen, steps taken to remediate the incident, and how operations were affected. Periodically, the company would have to provide updates to investors about the material effects the incident had or continues to have as well as how it is being addressed.
“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks,” said SEC Chair Gary Gensler in a press release. Noting current disclosures are not consistent, comparable, and decision-useful, Gensler added the proposal “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
Public companies are already required to disclose if they are the victim of a ransomware attack or if customer data is stolen if that information is material to investors. The new rule would set a four-day deadline for reporting such incidents and also require firms to follow up with additional disclosures as they address the attack.
The SEC defines a cybersecurity incident as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” While a cybersecurity incident had traditionally indicated a data breach of information about customers or employees, the definition has broadened as hackers and their attacks have become more sophisticated.
The disclosures would be aimed at helping investors understand the scope and severity of a cybersecurity incident on a company’s operations and finances. The proposal makes it clear a company is not required to reveal “specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities.” Revealing that level of detail could impede the company’s response, the SEC said.
The four-day rule and accompanying disclosure requirements would make it easier for investors and the public to compare the impact of cybersecurity incidents on different companies, the SEC said. The agency said cybersecurity incidents are likely underreported; it has noticed some companies report cybersecurity incidents to the public in the press or in other ways but not in 8-K or 10-K filings. Information disclosed about cybersecurity events is inconsistent, with some companies including materiality assessments and explaining the remedial steps taken to address the incident while other companies provide much less information.
The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, the SEC said.
The SEC last issued guidance on cybersecurity event reporting for public companies in 2018. In January, Gensler said the agency was considering new rules that would require investment advisers, broker-dealers, and investment firms to enhance disclosures about their cyber hygiene and cybersecurity measures as well as on data breaches.
SEC Commissioner Hester Peirce, in a dissenting opinion Wednesday, objected to many of the rule’s proposed requirements on implementing policies and procedures and forcing a company to list all its cybersecurity expertise in detail.
The proposal, she warned, “flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us.”
“The substance of how a company manages its cybersecurity risk … is best left to the company’s management to figure out in view of its specific challenges, subject to the checks and balances provided by the board of directors and shareholders,” she wrote.
The SEC is seeking public comment on the proposed rule for at least 60 days.