New SEC reporting rules give companies four days to report cyber incidents

Wall Street’s top regulator, the US Securities and Exchange Commission (SEC), voted on a new set of rules to require registrants, including publicly traded companies and foreign private investors, to disclose cybersecurity incidents they experience within four business days after they determine that a cybersecurity incident is material. Registrants are also required to report ransomware payments within 24 hours and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

“Many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler, acknowledging that public companies report material cyber incidents under the current rules. However, Gensler noted that SEC staff have observed that this level of reporting has not resulted in sufficiently consistent, comparable, and useful disclosure. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” he said.

SEC Commissioner Jaime Lizarraga said that the reporting rule regarding risk management, strategy, and governance will “strengthen the quality, consistency, and timeliness of cybersecurity-related disclosures to investors,” noting that the SEC currently has “zero disclosure requirements that explicitly refer to cybersecurity risks, governance or incident reporting.” He added that by “clarifying what companies must disclose, the rule will provide investors with more certainty and easier comparability. This will reduce the risk of adverse selection and the potential mispricing of a company.”

Initial reaction by the investor community, as well as many cybersecurity vendors, appears positive. Lesley Ritter, senior vice president for Moody’s Investors Service, said, “The cybersecurity disclosure rules adopted by the US Securities and Exchange Commission earlier today will provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability,” She added that “Overall, the rules are credit positive for public companies that are subject to SEC reporting requirements, as disclosures are useful to compare how companies, particularly those with elevated cyber risk, are addressing these challenges.”

The following sections summarize some of the highlights in the SEC’s 186-page new rules slated for publication in the Federal Register over the coming days:

Incident disclosure

The Commission’s new rules, which it describes as more narrow than those first floated in March, will require registrants to disclose within four days on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.