Representing financial professionals, financial institutions and investors in investment loss, employment and disclosure matters, and in regulatory investigations nationwide.

New SEC rule on disclosure of cybersecurity incidents takes effect

On Behalf of | Jan 8, 2024 | Securities and Compliance

The Securities and Exchange Commission’s new rules involving cybersecurity disclosure took effect last week, Cyberscoop reports.

Under the rules, publicly traded companies will be required to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact on the company.  Registrants will also have to annually disclose material information regarding their cybersecurity risk management, strategy, and governance.

At the time the rules were adopted in July, SEC Chair Gary Gensler said, “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

The SEC said that disclosure will generally be due four business days after a registrant determines that a cybersecurity incident is material but could be delayed if the US Attorney General determines that immediate disclosure would pose a threat to national security or public safety.

There has been criticism of the rules from Republican lawmakers and national security experts, including a concern that the SEC’s action duplicates the Cybersecurity and Infrastructure Security Agency’s law requiring critical infrastructure owners and operators to report major cyber incidents to CISA within 72 hours.  Critics also said the SEC’s requirement of reporting major incidents within four days is too short a time period and that the information revealed could pose a threat to national security.

Erik Gerding, the Director of the SEC’s Division of Corporation Finance, defended the four-day deadline.  “This timing is consistent with the reporting of other events the Commission requires be reported on a Form 8-K, such as entry into or termination of a definitive material agreement or a bankruptcy,” Gerding said in a statement.  “In adopting the four business-day deadline, the Commission explained that cybersecurity incident disclosure was not sufficiently different from other Form 8-K reporting events to warrant a different approach.”

Gerding said the SEC adopted the rules after taking note of the increased cybersecurity risks accompanying the rise in economic activity that depends on electronic systems.  The potential risks also include the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, he said.  “The Commission also observed that the cost to companies and their investors of cybersecurity incidents is rising at an increasing rate,” Gerding said.  “All of these trends highlight investors’ need for improved disclosure.”

The attorneys at Lewitas Hyman include former senior attorneys at the SEC whose legal experience and industry knowledge make them uniquely qualified to provide counsel on securities regulatory, compliance and enforcement matters. We regularly monitor SEC, FINRA and other self-regulatory organization rule-making activities to help ensure that our clients are aware of any new policies, while assisting them in implementing any recommended changes. If your firm is facing an investigation from a regulatory agency, please contact Lewitas Hyman at (888) 655 6002 or through our online contact form.