Cybersecurity

SEC adopts rule requiring companies to disclose cyber incidents

FILE - The U.S. Securities and Exchange Commission building in Washington is pictured on Aug. 5, 2017. (AP Andrew Harnik, File)

The Securities and Exchange Commission (SEC) adopted a rule this week that will require publicly traded companies to report significant cyber incidents that are “material” to investors.

Companies will have four business days to report to the agency from the time they determine that the incident was material. 

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement.

“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” he added. 

Under the new rule, companies will have to disclose the incident’s nature, scope, timing and impact. 

Companies will also have to explain the processes they have in place to assess, identify and manage risks from cyber threats.

Reed Loden, vice president of security at Teleport, said that the ruling is long overdue and something the industry has been needing for awhile.

“I’m hopeful that this ruling will act as a catalyst for all organizations to remain open and transparent about their incidents and share as much information as possible,” Loden said. 

“Sharing information means other organizations can learn from other’s mistakes to better address their own issues,” he added. 

Loden also said that while the ruling is a good place to start, it does leave some unanswered questions about what would be considered as “material” from a company’s perspective, as it could leave it up to its discretion to decide, creating some leeway.

“I suspect we’ll find some organizations may be less willing to disclose things, so it’ll be interesting to watch how forceful the SEC will be with this if it’s later revealed that certain companies failed to disclose a serious security incident,” he said. 

He added that many companies could see this new ruling as another “regulatory overhead” that they now have to comply with and that could maybe “cause them bad press, as it basically forces them to publicly announce when they have a major security incident. But for investors and consumers, it will help them understand how companies are handling security internally.”

Brandon Pugh, policy director of the cybersecurity and emerging threats team at the R Street Institute, said he’s seen mixed reaction from companies about the recent rule. 

“Some say this is similar to information they voluntarily provide now in the name of transparency while others say this might reveal sensitive security-related information,” Pugh said.

“This new rule does impose new requirements on companies, so there will be added costs to comply and potential liability if they do not,” he added.

The new rule will take effect 30 days after it’s published in the Federal Register, the agency said.  

The SEC is the latest agency to adopt such a rule.

Last year, Congress passed a legislation that would require companies in critical sectors to report substantial cyberattacks within 72 hours and ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency.

The legislation was passed amid heightened security concerns from U.S. government agencies urging companies in critical sectors to strengthen their cyber defenses against Russian cyberattacks.