SEC rules create new cybersecurity reporting requirement

Cybersecurity breaches can be costly for organizations. Under new SEC rules adopted on July 26, publicly reporting companies will now have to disclose exactly how cyberattacks impact their bottom lines.

The new SEC rules require that companies “disclose…any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant” on a new item on Form 8-K within four business days of the incident.

“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” SEC Chair Gary Gensler said in a statement. “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

However, there are some exceptions to this rule. Companies can hold off on disclosing breaches if the US Attorney General “determines that immediate disclosure would pose a substantial risk to national security or public safety.”

Companies will also have to make annual disclosures outlining their cybersecurity risk management policies, the board’s role in managing cyber risk and any cybersecurity expertise board members may have, and the role that management is playing in cybersecurity risk.

The SEC has been considering the new rules since March 2022. Companies covered by the new rules will likely have to make significant changes to their cybersecurity policies and procedures, as well as how their finance departments work with IT and cybersecurity teams.

Since finance leaders are often responsible for organizational compliance and risk management efforts, their role in creating a corporate culture of cybersecurity awareness is likely to be front and center, Daryl Crockett, CEO of data security consulting firm ValidDatum and a consulting fractional CFO, told CFO Brew this March.

The rules passed by a 3–2 vote among SEC commissioners. Commissioner Hester Peirce, who voted against the new rules, decried them as too much oversight and too expensive, in a statement after the vote.

“Today’s rule…reads like a test run for future overly prescriptive, overly costly disclosure rules covering a never-ending list of hot topics,” she wrote.

The new four-day incident disclosure rules go into effect 30 days after the release is published in the Federal Register, and public companies will have to start their annual cybersecurity disclosures this December.