By Naveen Athrappully
The U.S. Securities and Exchange Commission (SEC) adopted new rules on Wednesday that will require companies to report incidents related to cybersecurity breaches within four days—a requirement that faces opposition from industry groups.
The new regulations require companies to disclose cybersecurity incidents through Form 8-K, which are publicly available documents that inform shareholders about major changes made at the company. Cybersecurity incidents have to be reported within four business days after being discovered.
The company should describe the incident’s “nature, scope, and timing” as well as its “material impact or reasonably likely material impact” on the firm, the SEC said in a July 26 press release.
The disclosure requirement for companies will “be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.”
The four-day time limit on disclosure can be extended if the U.S. Attorney General determines that an immediate disclosure could pose a risk to public safety or national security. The SEC voted 3-2 to adopt the new rules.
SEC Chair Gary Gensler insists that the new rules are aimed to benefit investors. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them,” he said.
However, there has been strong opposition to the SEC’s new rules, which were first proposed in March last year.
In a May 9, 2022, letter (pdf) to SEC Secretary Vanessa Countryman, the Securities Industry and Financial Markets Association (SIFMA) complained that the agency was asking for the “public disclosure of considerably too much, too sensitive, highly subjective information.”
The four-day reporting timeline may cause companies to “publicly disclose information before they have a complete understanding of the incident, and such public disclosure may result in investor confusion and unwarranted stock impacts.”
Under new rules, companies will also have to describe the processes they have undertaken in assessing, identifying, and managing the risks from cybersecurity incidents.
A description of the management’s role and expertise in assessing and managing such risks, as well as the board of directors’ oversight of the risks, should also be included. Such disclosures have to be made through Form 10-K.
Helping Hackers, Cost Issues
Hester Peirce, a Republican commissioner at the SEC, dissented from the new rules, warning that the disclosure requirements risk handing hackers a “roadmap” on which companies to target and how to attack them.
“The 8-K disclosures, which are unprecedented in nature, could then tell successful attackers when the company finds out about the attack, what the company knows about it, and what the financial fallout is likely to be (i.e., how much ransom the attacker can get),” she said in a July 26 statement.
“The requirement to file an amended 8-K when new information comes in will provide the attacker regular updates on the company’s progress. The 8-K disclosures also will signal to other would-be attackers an opportune time to attack.”
Ms. Peirce also criticized the SEC for exhibiting “little concern” as to the costs the new rules will impose on companies and investors.
Firms would have to bear costs associated with “the possibility of increased cyber vulnerabilities because of the disclosures, the cost of preparing disclosures, and how those costs would vary across companies.”
“Costs likely will be disproportionately high (and the benefits may be disproportionately low) for investors in small public companies,” she said.
In recent years, companies have faced higher costs of dealing with data breaches. An IBM report (pdf) published this year pointed out that the average cost of a data breach rose to $4.45 million in 2023 globally, a $100,000 increase from 2022.
This represented a 2.3 percent increase from the 2022 average cost of $4.35 million. “Since 2020, when the average total cost of a data breach was USD 3.86 million, the average total cost has increased 15.3 percent.”
Amit Yoran, the CEO of Tenable and a leading cybersecurity expert, welcomed the SEC proposal.
“For a long time, the largest and most powerful U.S. companies have treated cybersecurity as a nice-to-have, not a must-have,” he said in a statement, according to Associated Press.
“Now, it’s abundantly clear that corporate leaders must elevate cybersecurity within their organizations.”
However, Mahlet Makonnen, a principal at law firm Williams & Jensen, raised concerns that the SEC may use the new rules to increase enforcement.
“The fear the industry has is that the data collected will put unnecessary burdens on industry, does not actually protect investors, and that the data can be used to grow the aggressive enforcement tactics under Gensler,” he said in an interview with CNBC.
“The more information they have, the more the SEC can determine if there are any violations of rules and regulations. It allows them to expand enforcement actions. The SEC will say they have broad authority to protect investors, and the disclosures can be used to expand the enforcement actions.”