The Securities and Exchange Commission
The rule, which the SEC proposed in March 2022, will give investors and the public at large a more consistent, comparable, and decision-useful way" to learn about breaches,
The key difference between
Public companies do not have to disclose technical specifics of their incident response plans or the potential vulnerabilities involved in the incident by the four-day mark, according to the rule. Rather, they must provide a high-level overview of what took place.
For example, companies must disclose what they do and do not know at the time about the date of discovery and status of the incident (i.e., whether it is ongoing or resolved), what data might have been compromised or altered, the impact of the incident on the company's operations and ongoing or completed remediation efforts.
The SEC's final rule differs in at least one important manner from
The question that looms largest over the new rule regards what exactly the SEC means when it says "material" cybersecurity incidents, and how courts will interpret the phrase. Given that this is a new rule, there is not a lot of guidance about what is or is not a "material" cybersecurity incident, according to Jennie Wang VonCannon, a partner at the law firm Crowell & Moring.
However, VonCannon said the Supreme Court has weighed in on the comparable matter of what materiality means when it comes to financial statements, holding that an error is "material" if there is "a substantial likelihood that the [...] fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available," according to its 1976 ruling in a case called TSC Industries v. Northway.
Public companies have had some time to get an idea of what their peers consider "material," as many companies have disclosed cybersecurity incidents in 8-Ks for years. SEC staff
The SEC's final rules, which go beyond the four-day rule and include some annual disclosures in 10-K forms, will become effective 30 days after the adopting release is published in the Federal Register.
"Forms 8-K and 6-K disclosures — in which cyber incident-based reporting must be made — will be due on December 18, 2023, or 90 days after the date of publication [of the four-day rule] in the Federal Register, whichever is later," VonCannon said. "Smaller reporting companies will have an extra 180 days to comply with their Form 8-K disclosure requirements."
The exact amount of time it will take for the rule to be published in the Federal Register is uncertain. Last year, the SEC published six final rules, and the time between public release of the rules and their publication in the Federal Register ranged from six to 33 days,
Several federal agencies have recently stepped up requirements on banks to notify regulators and the public when they fall victim to cybersecurity incidents.
The new rule is the first that banks face at the federal level to publicly disclose material cybersecurity incidents. Banks
Banks also face requirements from states to notify customers affected by data breaches, but only a few of those states require the banks to also disclose such breaches publicly. For example, data breaches that affect at least one resident in
The SEC did not specify the penalty for noncompliance of its new rule, but the commission
Even after the SEC issued the new rule, it remained controversial. The Bank Policy Institute, a policy research and advocacy group for banks, decried it as potentially "harming the very investors it purports to protect by prematurely publicizing a company's vulnerabilities," according to Heather Hogsett, senior vice president of technology and risk strategy for BPI's tech policy division.
"No reasonable investor would want premature disclosure of a cyber event to malicious actors or a hostile nation-state, which could exacerbate security risks and create a recipe for disaster the next time a major cyber incident occurs," Hogsett said.
Darren Williams, CEO and founder of cybersecurity company BlackFog, "categorically" disagreed with BPI, saying it would benefit consumers by giving them more information about breaches.
"I would say these new guidelines actively prevent companies from trying to conceal breaches, a consistent trend over the last few years," Williams said. "The new guidelines actually protect investors by ensuring companies both acknowledge and react to these attacks and are not actively negotiating with the cybercriminals in the background."
