In a move to enhance transparency and protect investors, the U.S. Securities and Exchange Commission (SEC) has mandated that public companies disclose material cybersecurity incidents. The ruling, which came into effect last year, aims to provide shareholders with critical information about cyberattacks that could impact business performance. However, as cyber incidents become more frequent and sophisticated, business leaders and security officers are grappling with the complexity of the regulations.
Why Investors Should Care About Cybersecurity
For investors, cyberattacks are no longer just technical issues—they’re significant financial threats. A single cyber incident can cost a company millions, erode public trust, and cause significant damage to a firm’s reputation. These risks are magnified when companies fail to provide timely and accurate information about their cybersecurity posture.
“Cybersecurity incidents have a real impact on shareholder value,” says Kate Dedenbach, a privacy and cybersecurity attorney at Fisher Phillips. “The SEC’s goal is to ensure investors are equipped with robust and timely information so they can make more informed decisions.”
Confusion Around the New Rule
While the intentions behind the SEC’s new rule are clear, the practicalities of implementation have left many company leaders, especially Chief Information Security Officers (CISOs), puzzled. At the recent RSA Conference, a global cybersecurity event, this confusion was a hot topic. Hugh Thompson, executive chairman of the event, acknowledged the widespread concerns from attendees, highlighting the challenge of understanding which incidents must be disclosed and how they should be reported.
Recent cyberattacks on major firms like Microsoft and LoanDepot illustrate the confusion. Both companies reported incidents but were criticised for not fully complying with the SEC’s guidelines by omitting key details about the material impact of the attacks.
Building on Previous Guidance
The SEC’s 2023 rule builds on previous guidance issued in 2011 and 2018, which encouraged companies to disclose cybersecurity risks and incidents. However, according to Lei Zhou, a researcher from the University of Maryland, previous disclosures were inconsistent and failed to provide investors with clear insights.
“The new rule standardizes the disclosure process and makes it a binding requirement,” Zhou explains. “This is a significant step forward in ensuring investors have the necessary information to understand how cybersecurity risks affect businesses.”
What Constitutes a ‘Material’ Cybersecurity Incident?
One of the key components of the SEC’s rule is the need for companies to disclose “material cybersecurity incidents.” But what does “material” mean in this context? Simply put, materiality refers to any incident that could significantly impact a company’s financial position, operations, or reputation.
“The question is whether a reasonable investor would consider the information important when making an investment decision,” Dedenbach says.
For business leaders, particularly CISOs, determining the materiality of an incident can be challenging. Steve Winterfeld, Advisory CISO at Akamai Technologies, notes that while companies are well-versed in assessing business risks, understanding the broader impact of losing data or suffering a breach requires new expertise.
Timing Is Critical
One of the most crucial aspects of the SEC’s rule is the timeline for reporting. Once a company determines that an incident is material, it has four business days to report it, including details about the nature, timing, and impact of the event.
“The SEC expects companies to assess materiality without unreasonable delay,” says Winterfeld, although he acknowledges that cyberattacks can be complex and take weeks to investigate fully. While the rule allows for a degree of flexibility, companies are expected to act in good faith and provide accurate disclosures as soon as possible.
In cases where national security or public safety is at risk, companies can delay disclosure, but this exemption is tightly regulated.
An Annual Requirement for Risk Management Disclosures
In addition to reporting individual incidents, companies are also required to submit an annual disclosure about their overall cybersecurity risk management strategy. This includes revealing whether any board members have cybersecurity expertise, further underscoring the SEC’s focus on governance in the digital age.
Steps to Ensure Compliance
For business leaders, navigating this new regulatory landscape requires careful planning. Thompson and Winterfeld both suggest developing a clear strategy that defines materiality and outlines responsibilities across key departments, including legal, finance, and IT.
“Extensive documentation is vital,” adds Zhou. “If the SEC requests more information, companies must be prepared to provide detailed reports to justify their actions and decisions.”
While the penalties for non-compliance are still unclear, it’s evident that the SEC is paying close attention to how companies respond to these regulations.
Looking Ahead: Evolving Cybersecurity Regulations
The SEC’s cybersecurity disclosure rule is likely just the beginning. As companies start reporting incidents under the new regulations, the SEC is expected to issue more guidance and potentially update the rule to reflect the evolving threat landscape.
Ultimately, as cyberattacks continue to rise, businesses are likely to increase their investments in cybersecurity technology and expertise. For now, company leaders must focus on understanding these new requirements and integrating them into their broader risk management strategies.
