In context: The US Securities and Exchange Commission was created after the Wall Street crash of 1929, with the primary purpose of enforcing the rule of law to avoid market manipulation. In an increasingly digital world, however, the biggest threat to markets and shareholders are cybersecurity incidents.
Striving to protect the financial market in a world ruled by ransomware threats and invisible botnets, the SEC has learned a lesson or two from the EU's GDPR by choosing to make life harder for publicly listed companies. The US federal agency has a new set of rules for cybersecurity risk management and incident disclosure, which require listed companies to react to security threats in a timely and (hopefully) organized manner.
According to the new rules, both public US companies and foreign private issuers will soon be required to disclose "material cybersecurity incidents" they have experienced. Furthermore, companies will have to provide "material information" about their cybersecurity risk management, strategy, and governance on an annual basis.
Disclosure times are rather strict, as the SEC says impacted companies will have to provide an 8-K form in "four business days" after the security incident has been discovered. The disclosure may be delayed, however, if the US Attorney General determines that it would pose a "substantial risk" to national security or public safety. Smaller companies will also have an additional 180 days before they are forced to provide Form 8K disclosures.
The new form for cybersecurity incident disclosure will need to include information about the date of discovery and the status of the incident, a "concise" description of the incident's nature and extent, any data that may have been compromised, altered or accessed by unauthorized parties, the incident impact on the company's operations, information about remediation efforts by the affected company.
The new rules should become effective on December 18, 2023, with the first disclosures expected to be released 90 days later. According to SEC Chair Gary Gensler, the rules will benefit investors, companies, and "the markets connecting them." "Whether a company loses a factory in a fire - or millions of files in a cybersecurity incident," Gensler said, it may be "material to investors" and they need to know that.
Many public companies have already adopted their own rules on incident disclosure for investors, Gensler remarked, yet the market could very much benefit from the fact that disclosures are made in a more consistent, comparable, and "decision-useful way." Listed companies will not be required to disclose technical details of their incident response plans about vulnerabilities that could influence their response or remediation efforts.