The Securities and Exchange Commission approved a measure by a 3-2 margin to require companies to disclose material cybersecurity incidents within four business days of such determination.
Companies will need to disclose the incident with the SEC on form 8-K, which is available for review by investors and the general public. Companies will also need to make annual disclosures regarding their cybersecurity risk management, governance and strategies.
“Currently, many public companies provide cybersecurity disclosures to investors," SEC Chair Gary Gensler said during the hearing. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision useful way.”
The final rules will become effective 30 days after publication in the Federal Register.
Annual risk management and governance disclosures will be required for annual reports on form 10-K and 20-F, for foreign issuers, for fiscal years that end on or after Dec. 15.
Material incident disclosures on forms 8-K or 6-K, for foreign issuers, will be due 90 days after publication in the Federal Register or Dec. 18.
Smaller reporting companies will get another 180 days before they have to report material incidents on form 8-K.
The changes are part of a wider effort by federal and state authorities to get companies to disclose critical information to investors and consumers about major cybersecurity attacks and data breaches, particularly since the 2020 Sunburst attacks that hit SolarWinds and the 2021 ransomware attack against Colonial Pipeline.
An issue that has emerged following the Colonial Pipeline attack is that upwards of 70% of previous ransomware incidents were never disclosed to government authorities or law enforcement in prior years, therefore leaving unsuspecting companies in the dark about ongoing attacks that could be prevented.
The dissent
Among the dissenting opinions related to the proposed SEC rules was the risk of tipping off malicious hackers if a public company disclosed details that could help an adversary confirm whether an attack was actually working.
As part of the adopted SEC requirements, such disclosures can be delayed if the U.S. attorney general determines the incident poses a substantial risk to national security or public safety.
The vote Wednesday followed intense debate among the agency leadership, with Commissioners Hester Peirce and Mark Uyeda opposing the measures as overly burdensome.
Peirce specifically raised concerns about the disclosures providing a roadmap to hackers about the success of their attacks. Uyeda said the disclosure exceeds many of the requirements for other material risks to company operations.
An official at Moody’s Investors Service called the decision credit positive for public companies, due to the transparency it will provide in how these organizations address the growing need for organizations to address cyber risk.
“The cybersecurity rules adopted by the U.S. Securities and Exchange Commission earlier today will provide more transparency into an otherwise opaque, but growing risk, as well as more consistency and predictability,” Lesley Ritter, SVP for Moody’s Investors Service, said in a statement following the vote. “Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources.”
Even before adopting this rule, the SEC began taking steps to review and enforce greater transparency and clarity by companies regarding their past cybersecurity practices.
The SEC previously reached a $3 million settlement with software firm Blackbaud for making misleading comments on a 2020 ransomware attack.
In late June, the SEC notified SolarWinds of possible enforcement action related to statements made by the CFO and CISO about the company’s cybersecurity practices in connection with the 2020 attacks by Russia-backed hackers.