The Securities and Exchange Commission voted 3-2 to adopt new regulations that would require publicly traded companies to notify the government when their IT systems are hacked and periodically disclose details around their cybersecurity risk governance in public filings.
The rules, first proposed in 2022, were adopted in a meeting Wednesday, and would compel businesses to notify the SEC and public within four days of determining that a cybersecurity incident will have a “material” impact on their business operations. They would require information on the nature, scope and timing of the incident, as well as the “likely” material impact on the registrant’s financial conditions and operations.
The regulations would also compel companies to disclose cybersecurity risk management, strategy and governance in their annual filings. The newly-approved disclosures would include details on how the board of directors oversees risks from cybersecurity threats and identify a board committee or subcommittee responsible for oversight.
“I’m pleased to support the rules. At its core, I think it’s because they will enhance and help standardize disclosures to investors with regard to these public companies’ cybersecurity practices as well as material cybersecurity incidents,” said SEC Chair Gary Gensler ahead of the vote.
Gensler was joined by commissioners Caroline Crenshaw and Jaime Lizárraga in voting to approve the rules.
There are numerous caveats to the new incident reporting regulations. First, they must have a “material” impact on a business’ operations, revenues or stock price to qualify. SEC staff also specified that the 4-day reporting timeline would begin when a company makes a determination around an incident’s materiality, not the initial discovery.
Further, the commission adopted amendments that allow for two separate thirty-day delays in notification of a cyber incident if the U.S. Attorney General notifies the commission that the disclosure would pose a risk to national security or public safety, as well as an additional 60-day delay for special emergencies. Beyond that, the SEC would need to vote to approve further reporting delays.
Jessica Wachter, chief economist at the SEC, said the new rules would likely create new compliance burdens on companies but the commission is not requiring technical details on reported incidents. Further, she said disclosure can arm the public with the information they need to make more informed decisions. Failure to disclose such incidents “lead to the classic problem of information asymmetry” between a public company and investors.
“A cybersecurity incident can significantly impact a company’s financial operations. The lack of disclosure of this information can thus harm investors, leading them to misallocate wealth or make different decisions than otherwise,” said Wachter. “In the case of cybersecurity, a company may disclose too little, too late.”
Before the vote, Nabeel Cheema, SEC special counsel, said changes to the rules in response to industry feedback include adding multiple delay windows for national security as well as a broader shift to focus the incident reporting rule on “the material impact or reasonably likely material impact…rather than on the specific technical details of the incident.”
The incident reporting provisions have been one of the most controversial aspects of the SEC’s larger push around cybersecurity over the past two years. The proposed - now adopted - rules have been met with enthusiasm in some quarters but have also received pushback from industry, members of Congress and dissenting commissioners at the agency itself.
Specifically, industry groups and congressional Republicans have worried that the regulations could conflict with similar incident reporting rules being implemented by the Cybersecurity and Infrastructure Security Agency for critical infrastructure entities and overly burden businesses when they experience a breach by requiring them to notify multiple agencies of the same incident.
Harley Lorenz Geiger, a cybersecurity attorney at Venable, told SC Media that requiring companies to disclose their cyber risk management processes could help arm investors with useful information and possibly prompt better security practices.
However, he criticized the "short deadline" the SEC is placing on companies with regards to the four-day reporting measure, noting that businesses must now notify the government "regardless of whether the incident is contained or mitigated."
"This creates risks to companies, investors, and consumers that attackers will be alerted to unpatched vulnerabilities and can cause further harm," he said. "For now, publicly traded companies should prepare to describe their cyber risk management processes and oversight in their public filings and companies should also adjust their cyber incident response plans to accommodate this new public reporting deadline."
Commissioners Hester Peirce and Mark Uyeda voted against the measures, arguing the agency lacks the expertise – and perhaps authority – to regulate the cybersecurity decisions of companies at a granular level.
Peirce questioned how the commission could understand the intricacies of an emerging cybersecurity incident better than the companies who are responding to it or dictate the timing of when to notify the public or investors, saying it could lead to premature or inaccurate disclosures.
She also wondered whether reporting on incidents or cybersecurity governance could be exploited by malicious hackers and other bad actors to obtain insights into the security practices of companies.
“Although better than the original proposal, this final cybersecurity disclosure rule continues to ignore both the limits to the SEC’s disclosure authority and the best interest of investors,” said Peirce ahead of the vote. “Moreover, the commission has failed to explain why we need this rule. Accordingly, I dissent.”
Lesley Ritter, Senior Vice President for Moody’s Investors Service, said in a statement that the new rules “will provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability.”
“Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources,” she said.
Peirce echoed concerns around the ability of small businesses to comply in the meeting Wednesday. Eric Gerding, director of the agency’s division of corporate finance, noted that smaller companies would not be required to comply with the rules in June 2024.