For years, boards have struggled with the ongoing puzzle of cybersecurity—and not just the breaches—but what they were required to tell the investing public about those breaches.
On Wednesday, the SEC sought to clarify and strengthen those requirements by adapting new rules which–for the first time—will require publicly-traded companies to disclose “material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a release.
The rules require companies to disclose “any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant,” as an item in an 8-K according to the SEC. An 8-K or current report is used to announced events that shareholders should be aware of.
Like other 8-K disclosures, companies will be required to report cyber events within 4 business days.
According to the new rules, the materiality standard is supposed to be consistent with that set out in the numerous cases addressing materiality in existing securities laws, including TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano, and others.
“Information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision,” according to the new rules, “or if it would have “significantly altered the ‘total mix’ of information made available.’ ‘Doubts as to the critical nature’ of the relevant information should be ‘resolved in favor of those the statute is designed to protect,’ namely investors.”
Nonetheless, the agency declined to set a clear-cut materiality bar, such as a likely financial impact of the incident—a standard many requested during the public comment period. “A lack of quantifiable harm does not necessarily mean an incident is not material,” the SEC said.
The SEC also warned companies that not having “complete information” about the impact of a cyber incident was not an excuse for delaying an 8-K disclosure. “In other words, a company being unable to determine the full extent of an incident because of the nature of the incident or the company’s systems, or otherwise the need for continued investigation regarding the incident, should not delay the company from determining materiality.”
But the agency also said it had decided against “adopting, as proposed, a requirement for disclosure regarding the incident’s remediation status, whether it is ongoing, and whether data were compromised,” the SEC said in its discussion of the rules. “While some incidents may still necessitate, for example, discussion of data theft, asset loss, intellectual property loss, reputational damage, or business value loss, registrants will make those determinations as part of their materiality analyses.”
In “extraordinary cases,” including those that may pose risks to national security, the SEC said it working with the Department of Justice to establish “an interagency communication process to allow for the Attorney General’s determination to be communicated to the Commission in a timely manner.”
“The Department of Justice will notify the affected registrant that communication to the Commission has been made, so that the registrant may delay filing its Form 8-K,” the SEC said.
In addition, the rules add another regulation, dubbed S-K Item 106, which requires companies to:
- Describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
- Requires companies to describe the board of directors’ oversight of risks from cybersecurity threats
- Requires companies to describe management’s role and expertise in assessing and managing material risks from cybersecurity threats.
These disclosures will be required in a registrant’s annual report on Form 10-K, the SEC said.
“Currently, many public companies provide cybersecurity disclosure to investors,” said Gensler. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”