On July 26, the SEC implemented a new regulation that obliges companies to reveal any substantial cybersecurity incidents they encounter. Additionally, these companies are required to provide an annual disclosure of vital information pertaining to their cybersecurity risk management, strategy, and governance, as per an SEC announcement. SEC chair Gary Gensler compared the significance of disclosing cybersecurity incidents to revealing the loss of a factory in a fire. He stated, 'Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors.' Gensler also pointed out that while many public companies already provide cybersecurity disclosure to investors, a more consistent, comparable, and decision-useful disclosure method would benefit both companies and investors. He added, 'Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them.'
The new rule notes that despite previous guidance from the Commission, under-disclosure regarding cybersecurity persists. The rule emphasizes the need for more timely and consistent cybersecurity disclosure to enable investors to make informed investment decisions. It also acknowledges recent legislative and regulatory developments within the Federal government, such as CIRCIA and the Quantum Computing Cybersecurity Preparedness Act. However, it argues that these developments, while serving related purposes, will not achieve the level of public cybersecurity disclosure required by investors in public companies.
The newly adopted rule stipulates that a Form 8-K must be filed within 'four business days of determining an incident was material.' However, similar to the GDPR and US state data breach disclosure rules, the SEC does not provide a definition of what constitutes an enterprise determining an incident to be material, leaving ambiguity as to when the countdown begins.
The SEC has also taken a slightly more assertive stance in defining what makes an incident material. Traditionally, materiality meant anything significant enough to likely influence the stock price. However, in the context of the new cybersecurity rule, the SEC states, 'Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the 'total mix' of information made available.' The SEC further advises that any doubts regarding the importance of the relevant information should be resolved in favor of the statute's intended beneficiaries, namely investors.
The SEC's requirement, however, does not extend to specific technical details about the company's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities. The rule specifies that such detail should not impede the company's response or remediation of the incident.