The U.S. Securities and Exchange Commission (SEC) has voted 3-2 to adopt new regulations that will require publicly traded companies to notify the government when their IT systems are hacked and disclose details around their cybersecurity risk governance in public filings. The rules, which were first proposed in 2022, were adopted in a meeting on Wednesday and aim to enhance disclosures to investors regarding cybersecurity practices and material incidents.
Under the new regulations, businesses must notify the SEC within four days of determining that a cybersecurity incident will have a “material” impact on their business operations. The disclosure must include information on the nature, scope, and timing of the incident, as well as the likely material impact on the company’s financial conditions and operations.
In addition to incident reporting, companies will also be required to disclose cybersecurity risk management, strategy, and governance in their annual filings. This includes details on how the board of directors oversees cybersecurity threats and identifies a board committee responsible for oversight.
SEC Chair Gary Gensler expressed his support for the rules, emphasizing that they will standardize disclosures to investors and provide more transparency in cybersecurity practices and incidents. However, the new regulations come with certain caveats. To qualify for incident reporting, the cybersecurity incident must have a material impact on the company’s operations, revenues, or stock price. The 4-day reporting timeline begins when the company determines the incident’s materiality, not when it is initially discovered.
The SEC has also adopted amendments that allow for up to two separate thirty-day delays in notification if the U.S. Attorney General deems that disclosure poses a risk to national security or public safety. Additionally, there is an additional 60-day delay for special emergencies. Any further reporting delays would require approval through an SEC vote.
The incident reporting provisions have been a subject of controversy, with some industry groups and congressional Republicans expressing concerns about potential conflicts with similar incident reporting rules being implemented by the Cybersecurity and Infrastructure Security Agency (CISA) for critical infrastructure entities. Some critics worry that the regulations could overly burden businesses by requiring them to notify multiple agencies of the same incident.
Commissioners Hester Peirce and Mark Uyeda voted against the measures, questioning the SEC’s expertise and authority to regulate cybersecurity decisions at a granular level. Peirce raised concerns about premature or inaccurate disclosures and the possibility of malicious hackers exploiting the reporting to gain insights into companies’ security practices.
Despite the concerns, the SEC believes that the new rules will provide more transparency and consistency in cybersecurity risk management. Lesley Ritter, Senior Vice President for Moody’s Investors Service, stated that the increased disclosure will help companies compare practices and may lead to improvements in cyber defenses. However, she acknowledged that smaller companies with limited resources may face challenges in meeting the new disclosure standards.
Smaller companies will have until June 2024 to comply with the new regulations. The SEC’s move is part of a broader push towards cybersecurity regulations to protect investors and enhance transparency in the face of increasing cyber threats.