The Securities and Exchange Commission approved new rules that will require entities to disclose material cybersecurity incidents.
In general, the rule will mandate that entities that experience a cybersecurity incident to determine its materiality and, if deemed so, then fill out the new Item 1.05 on the Form 8-K within four days. The entity will need to describe the material aspects of the nature, scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.
Entities may delay the disclosure if the Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of the determination in writing.
There is also a new Regulation S-K Item 106, which requires entities to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats, and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Finally, the Form 6-K will be amended to require foreign private issuers to disclose any material cybersecurity incidents that they make, or are required to make, public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders. Form 20-F will be amended to require that foreign private issuers make periodic disclosure comparable to that required in new Regulation S-K Item 106.
SEC Chair Gary Gensler said the new rules are comparable to other disclosure requirements around materially significant events.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” he said in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
While voluntary cybersecurity disclosures have been on the rise, a high proportion of incidents remain in the dark. An analysis from Audit Analytics said that while there has been an increase in the number of events disclosed, just 43% of the 188 cybersecurity incidents were actually revealed via an SEC filing. This includes either the first disclosure of the incident or any further details provided by the company thereafter.