SEC Finalizes Cybersecurity Disclosure Rules
The Securities and Exchange Commission finalized rules which will require public companies to disclose their cybersecurity risk strategy, management and governance and disclose material cybersecurity incidents within four business days. The rules were initially proposed in March 2022. The final versions passed by a vote of 3 to 2 on Wednesday.
Under the rules, issuers will be required to disclose on Form 8K the occurrence of a material cybersecurity incident within four business days of determining that the event is material. Eric Gerding, the director of the SEC’s Division of Corporation Finance, said that disclosure of events currently varies in its specificity and timing, which makes it difficult for investors to locate the information and act on it.
Laura Jehl, co-chair of the privacy, cybersecurity and data strategy practice group and a partner in Willkie Farr & Gallagher LLP, says that the definition of materiality in these rules is the same as in other contexts: An event that a reasonable investor would want to know about in decision making, for reasons such as financial impact or reputational factors, is material.
The disclosure must include the nature, scope, timing and impact of the event. Jessica Wachter, the director of the SEC’s Division for Economic Risk and Analysis, noted that, unlike the proposal, issuers do not need to disclose the technicalities of the event, which will limit their exposure to follow-up attacks that might take advantage of their disclosed vulnerabilities.
Companies can seek a delay in disclosure if they receive permission in writing from the U.S. attorney general that a disclosure presents a risk to national security or a threat to public safety. This would trigger up to two delays, each of 30 days. If the attorney general finds that the threat is a severe one, companies can postpone disclosure for an additional 60 days, up to a total of 120days.
Commissioner Hester Peirce, who dissented, remarked that obtaining this permission from the Department of Justice in four business days will be “quite the feat.”
Jehl says a direct channel to the attorney general is “not something that many have in place now.” She adds, however, that requests of this kind from law enforcement are “pretty unusual these days” and would probably come as an FBI request that arises from national security concerns. Nevertheless, Jehl acknowledges that obtaining a delay will be “tough to do,” and this exception is “not very meaningful.”
The delay process was requested by many commenters and stakeholders, though it does not address the concerns about delay requests that could arise from law enforcement agencies.
In addition to specific incidents, companies will also need to disclose details about their cybersecurity risk management and governance. This includes the expertise of managers and committees assigned to cybersecurity. Commissioner Mark Uyeda, who voted against the rule, quipped that issuers must disclose information about cybersecurity managers that is “equal to their resumes.”
Wachter explained that these disclosures are intended to correct information asymmetries for investors and lead to better pricing. They will also lead to more efficient capital formation by building trust in issuers. Additionally, these disclosures will lead to “positive externalities” by raising awareness and “promoting better decision making.”
Peirce did not agree with this characterization. She said at Wednesday’s hearing that the incident disclosures made in four days or fewer are likely to be vague and incomplete and will trigger overreactions and therefore less efficient pricing. Uyeda agreed and said, “Early information is often incomplete and not correct.”
Jehl explains that industry actors often share information about digital breaches anyway, and this exchange is encouraged by the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. She says the disclosure rules are “intended to address investors” so that they can make more informed decisions.
The SEC will begin enforcing the rule for annual reports with 2023 reports, while incident reports will become required 90 days after the rule’s entry into the Federal Register, according to Jehl.
Cybersecurity is an issue of growing importance to the SEC. Commissioner Jaime Lizárraga noted that the average cost of a breach is approximately $9.4 million. The SEC currently has two additional proposals, one to update Reg SCI and another to update Reg S-P, still outstanding.