Cybersecurity incident disclosure in the US just turned stricter. Public companies in the US now have four days to disclose cybersecurity breaches that could impact their financial standing.
In an effort to enhance transparency and protect investors, the Securities and Exchange Commission (SEC) voted along party lines, 3-2, to adopt new rules on Wednesday.
“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” SEC Chair Gary Gensler.
“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
However, not all members of the commission were in favor of the new requirements, reported AP.
One of the dissenting Republican commissioners, Hester Peirce, argued that the SEC is overstepping its authority with these rules and expressed concerns that the detailed information provided by companies may inadvertently assist hackers.
Peirce also cautioned against potential micromanagement of company operations by the SEC in the future.
While certain critical infrastructure operators and healthcare providers are required by law to report breaches, no federal breach disclosure law existed before the adoption of these rules.
SEC’s interest in the matter stems from a major concern: breach information leads to a stock market activity called informed trading, currently a grey area in the eyes of law.
Stricter SEC cybersecurity incident disclosure norms
Under the newly adopted cybersecurity incident disclosure rules, registrants must disclose any cybersecurity incident that they determine to be material on the recently introduced Item 1.05 of Form 8-K.
This cybersecurity incident disclosure should encompass crucial details regarding the incident’s nature, scope, timing, and its material impact or potential material impact on the registrant.
Companies are generally expected to submit an Item 1.05 Form 8-K within four business days of confirming the incident’s materiality.
However, if immediate cybersecurity incident disclosure poses a substantial risk to national security or public safety, the disclosure can be delayed after written notification from the United States Attorney General to the Commission.
The rules introduce Regulation S-K Item 106, requiring registrants to describe their processes for assessing, identifying, and managing material risks arising from cybersecurity threats.
Additionally, companies must disclose the material effects or reasonably likely material effects of cybersecurity risks and past incidents.
Furthermore, the new rules call for detailed descriptions of the board of directors’ oversight of cybersecurity risks and management’s role and expertise in handling such risks. These disclosures will be included in a registrant’s annual report on Form 10-K.
Foreign private issuers will be held to comparable standards, required to disclose material cybersecurity incidents on Form 6-K and provide information on cybersecurity risk management, strategy, and governance on Form 20-F.
Deadline for the new SEC cybersecurity incident disclosure norms
The development of these rules was initiated in March 2022 when the SEC recognized the escalating risk of corporate network breaches due to increased digitization of operations and remote work.
The final rules are set to take effect 30 days after their publication in the Federal Register.
Companies will be required to comply with the Form 10-K and Form 20-F disclosure requirements for fiscal years ending on or after December 15, 2023.
As for Form 8-K and Form 6-K disclosures, companies will have 90 days from the date of publication in the Federal Register or until December 18, 2023, whichever is later.
Smaller reporting companies will receive an additional 180 days before they must begin providing the Form 8-K disclosure.
Moreover, all registrants must comply with the structured data requirements by tagging the required disclosures in Inline XBRL, starting one year after their initial compliance with the relevant disclosure requirement.
“In many ways, the SEC’s rule will regulate what companies should have been implementing in the first place; good cyber hygiene,” said Amit Yoran, Chairman and CEO at cybersecurity company Tenable.
“Requiring companies to provide annual updates of their cybersecurity risk management strategy and governance and report material breaches within four business days will keep customers and investors better informed as to who they trust with their business.”
In the initial announcement, SEC clarified that companies cannot avoid or delay real‑time disclosure of material cybersecurity incidents citing ongoing internal and external investigations.
“We expect this aspect of the proposed rulemaking – which prioritizes investors’ interest in real-time disclosure over the impact of such disclosures on ongoing investigations – to be a focal point of comments,” wrote Timothy Gregg, Chair of Public Company Advisory Group at US-based law firm Maynard Nexsen.
Cybersecurity incident disclosure and informed trading
According to the SEC, the rules are designed to ensure timely reporting and will require companies to reveal breach incidents within four days of their discovery.
However, the disclosure window can be extended in cases where immediate reporting poses a serious threat to national security or public safety.
Additionally, the new regulations demand public companies to annually disclose information pertaining to their cybersecurity risk management protocols and the expertise of executives in the cybersecurity field.
This measure aims to provide investors with valuable insights into companies’ preparedness against cyber threats.
In a 2018 article published in the Harvard Business Law Review, Columbia Law professors Eric Talley and Joshua Mitts identified trading patterns suggestive of informed trading prior to the disclosure of cybersecurity breaches.
They argued that trading of this type raises complex and, in context, unique concerns over price discovery, liquidity, and efficient allocation of resources.
“Profits from such trading may increase hackers’ incentives to exploit security vulnerabilities, leading to impersonation, identity theft, and greater dissemination of stolen personal information,” Joshua Mitts wrote later.
“These represent real economic costs not present in garden variety information-trading contexts. Consequently, informed cyber-trading plausibly justifies enhanced legal scrutiny of those who profit from the activity.”
The treatment of informed trading on cybersecurity breaches is complicated under existing law.
It is unlawful for an agent or fiduciary to trade on a firm’s material non-public information, for third parties to steal such information, or for a person to spread false information about a cybersecurity risk in order to manipulate stock prices.
However, if third parties were simply to use computer queries to access, discover, trade upon, and then expose bona fide cybersecurity vulnerabilities, they might face little liability under current law.
It is thus critical to have effective ongoing disclosure of cybersecurity vulnerabilities, as the SEC proposes, noted Mitts.