Over the summer, the U.S. Securities and Exchange Commission (SEC) ratified a rule mandating publicly traded corporations to promptly divulge any cyber breaches that could materially impact investors. With these rules, the SEC hopes to both protect consumers and encourage risk management in the industry.
What is the new reporting requirement?
Under the new SEC rules, companies will have to report a cyber incident via an 8-K filing within four business days of determining the incident has had a “material” impact. The exception to this new ruling is if it's determined that sharing details of a breach could pose substantial risk to the national security or the public's well-being. Then, the reporting time might be extended by up to two months, making it a total of 60 extra days. Most companies will need to start complying with the 8-K requirements by December 18, 2023.
The new requirements mandate companies disclose the incident's nature, scope, and timing, as well as its impact. It also requires registrants to describe their processes for assessing, identifying, and managing risk. Additionally, corporations will be tasked with periodically detailing their endeavors in detecting and managing cyber threats, reflecting the SEC's larger ambition to bolster the financial system's resilience against data breaches, systems disruptions, and cyber intrusions.
Why did the SEC mandate this reporting?
As the digital rapidly evolves—often leaving companies with subpar or out-of-date security measure—cyber-attacks stand as a major threat to the global economy. The SEC spent more than a year deliberating this rule and its nuances while collecting feedback from cybersecurity professionals, the companies who have been affected, and other stakeholders. From direct attacks on targeted companies to the dismantling of supply chains, the damage caused by such attacks has created an urgency not only transparency, but also accountability.
With these requirements, the SEC hopes to mitigate risk and assist with the escalating frequency and mounting costs associated with cyber attacks that have plagued corporate entities. In a recent report published by IBM, researchers found to rectify the impact of a breach, organizations spend an average of $4.5 million per breach—a 15% increase over the past three years.
"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," SEC chair Gary Gensler said. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way."
If you have any questions about these new requirements, please reach out to your trusted IT advisor today.