SEC to require companies to disclose cybersecurity incidents

The Securities and Exchange Commission approved new rules Wednesday requiring companies that it regulates to quickly disclose “material” cybersecurity incidents and share the details of their cybersecurity risk management, strategy, and governance with the commission on an annual basis.

The commission also adopted similar rules for foreign companies doing business in the U.S.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a prepared statement.

He added that while many companies now disclose cybersecurity incidents, companies and investors would “benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Under the new rules, companies are required to provide the SEC with relevant details of a given incident’s “nature, scope, and timing” and offer information about how they believe the event will impact them. The disclosure will be required within four business days of the company deciding the incident is “material.”

If the U.S. Attorney General advises that immediate disclosure would threaten national security or public safety the disclosure can be delayed, the SEC said in a press release.

Some leaders in the investment community cheered the decision.

The global integrated risk assessment firm Moody’s issued a statement saying the new rules will provide “more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability.”

The statement from Moody’s Investors Service Senior Vice President Lesley Ritter went on to say the firm believes increased disclosure will enable companies to “compare practices and may spur improvements in cyber defenses” by pushing companies with higher cyber risk to fix weaknesses.

However, Ritter acknowledged the rules could be a challenge for smaller companies with fewer resources.

In addition to the disclosure rules, companies will be required to explain how they identify and manage significant cyber threats as well as explain risks posed by previous incidents. Companies also will be required to detail how their board of directors supervises cyber risk as well as their expertise for doing so. These details will be required to appear in companies’ annual reports.

The new rules will become effective in December, but smaller companies will be given an extra 180 days to comply.

At a SEC hearing Wednesday discussing the new rules, Erik Gerding, the agency’s director of corporate finance, described them as a vast improvement over the current system, saying it will now be far easier for investors and regulators to assess a given firm’s cybersecurity risk.

“Current disclosure practices with respect to material cybersecurity risks and incidents remain buried in ways that can frustrate comparability for investors,” Gerding said. “For example, we have observed that companies provide different levels of specificity regarding the cause, scope, impact, and materiality of cybersecurity incidents.”