SEC Cybersecurity Disclosure Rule and the Implications for Public Companies

On December 15, 2023, the U.S. Securities and Exchange Commission (SEC) published a new cybersecurity disclosure rule that has significant implications for public companies. This rule mandates that public companies report cybersecurity incidents in a timely and comprehensive manner, providing investors with clearer and more consistent information about risks that could impact their operations and financial standing. While this regulation primarily targets public companies, its reach will extend to non-public entities, especially as cyber threats continue to escalate across industries.

Rising concern over cybersecurity risks

Cybersecurity risks are a concern for businesses of all sizes. As cyberattacks become more frequent and costly, the financial burden of data breaches is becoming harder to ignore. IBM’s 2024 “Cost of a Data Breach” report shows a 10% increase in the global average cost of a breach, rising from $4.45 million in 2023 to $4.88 million in 2024. This sharp increase in breach-related costs underscores the gravity of the threat, particularly for smaller businesses, which can be decimated by the financial fallout. Large corporations may have the resources to recover, but for many smaller companies, the impact is severe, and the reputational damage often proves irreversible.

Cyberattacks aren’t confined to private companies; government organizations and critical infrastructure are also vulnerable. The SEC’s heightened interest in these cybersecurity threats reflects a broader recognition that protecting sensitive information is essential not just for companies, but for the entire economy. This rising concern is behind the SEC's decision to require clearer disclosures that give investors a better understanding of how these cyber risks could affect their investments.

Key provisions of the SEC Cybersecurity Disclosure Rule

The SEC’s new rule has two primary requirements for public companies:

• Material cybersecurity incidents: Public companies are now required to disclose cybersecurity incidents within four business days of determining that the incident is material to their operations. This short disclosure window aims to provide investors with timely, accurate information about potential risks, ensuring transparency and preventing market disruption.
• Cybersecurity risk management and governance: As part of their annual 10-K filings, companies must disclose information about their cybersecurity risk management strategies and governance structures. This provides investors with an understanding of how companies are preparing for and responding to cyber threats, offering more insight into their long-term security posture.

The SEC's goal with these provisions is to offer investors more consistent and comparable information on cybersecurity risks and incidents, ultimately helping them make informed decisions.

Determining materiality: A new approach

A key component of the SEC's new rule is the emphasis on materiality. Companies must now establish a process to assess whether an incident is material, meaning whether it could reasonably influence an investor’s decision to buy or sell stock. This materiality determination is made by the company’s Chief Financial Officer (CFO) and Chief Security Officer (CSO), who will work together to evaluate the incident’s potential financial, operational, and reputational impacts.

Unlike other types of disclosures, such as mergers and acquisitions, which must be reported regardless of materiality, cybersecurity incidents require careful evaluation. This shift ensures that only the most impactful events are disclosed, helping prevent unnecessary alarm from less severe incidents.

Timely reporting: A four-day window

The SEC’s requirement for a four-day disclosure window is crucial. It aligns with the timeliness standards of other Form 8-K reporting requirements, such as major agreements or bankruptcies. While companies may not have all the details of an incident within this timeframe, the SEC expects companies to disclose the materiality of the breach as soon as possible. The rule also allows for follow-up filings as more information becomes available, ensuring that investors are kept up-to-date as the situation develops.

The SEC’s focus on timely, accurate reporting underscores its broader goal of transparency. The quicker investors are informed, the better equipped they are to make informed decisions, minimizing uncertainty in the market.

Why materiality?

The SEC’s use of the materiality standard, rather than a fixed threshold (such as a specific number of records lost), reflects the complex nature of cybersecurity incidents. The impact of these incidents can vary greatly depending on the company, the type of attack, and the specific data involved. For example, a large company may experience frequent, minor cyberattacks that do not rise to the level of materiality, while a larger breach at a small corporation may have far-reaching consequences.

This flexible, investor-focused standard is central to the SEC's disclosure approach, ensuring that companies report the incidents that could influence an investor’s decision to buy or sell stock.

The role of cybersecurity governance

In addition to incident disclosures, the SEC now requires companies to report on their cybersecurity governance and risk management strategies. This annual disclosure will help investors assess a company’s ability to handle future cybersecurity risks, offering greater visibility into how well-prepared a company is for emerging threats.

While the rule doesn’t mandate that companies have cybersecurity experts on their boards, it does require companies to disclose how their board oversees cybersecurity risks and which management positions are responsible for security. This ensures that investors can assess whether the company is taking adequate steps to safeguard its digital assets.

Continued lack of transparency in SEC cybersecurity reporting

Since the rule went into effect, the approach to SEC filings has left much to be desired. Many disclosures describe the incident in qualitative terms, but fail to provide quantitative details like financial losses, reputational damage, or share price fluctuations. For example, when Crimson Wine Group reported a cybersecurity incident, it stated that the breach “likely” had a material impact on operations, but didn’t provide any concrete financial figures. This lack of specificity makes it difficult for investors to assess the true impact of a breach.

Under the SEC rule, companies are expected to go beyond vague descriptions and provide specific data to help investors gauge the significance of an incident. This is crucial for making well-informed investment decisions, as investors rely on this information to assess risk.

Addressing SEC guidance and the ongoing reporting issues

In May 2024, the SEC issued updated guidance emphasizing that companies should only file disclosures for material cybersecurity incidents. The new guidance also underlined the need for public companies to consider both quantitative and qualitative impacts, and to present timely updates if the situation evolves. Specifically, if a company initially considers an incident immaterial but later determines it is material, they must file a subsequent 8-K update. However, even in these updates, companies must still provide specific details on the nature, scope, and timing of the incident.

Still, this framework hasn’t solved the problem of inadequate reporting. Many companies are only disclosing generalized impacts like "systems were down" or "data was lost" without saying how many records were compromised, whether customer data was involved, or how much the breach will cost them. The qualitative nature of these disclosures leaves investors guessing, even though the SEC specifically asks companies to quantify impacts when they can.

For example, when Hewlett-Packard and Microsoft disclosed cybersecurity incidents, the lack of financial detail in their reports left more questions than answers. Their disclosures typically lack statements about the earnings impact, or how the breach could impair strategic operations like mergers and acquisitions or affect customer relations.

Implementing a robust materiality process

The challenge isn't just about the disclosures themselves; it's also about the process of determining materiality. For companies to make accurate materiality decisions, they need to have a well-documented process for evaluating incidents. The SEC guidance makes it clear that if an incident is deemed material, it must be disclosed.  But companies must first evaluate whether the incident will likely affect their financial conditions, operations, or stock prices. This assessment process should be clearly documented and communicated, especially in the event of regulatory scrutiny.

Without such a process in place, companies risk failing to meet SEC standards, which could lead to reputational damage, regulatory penalties, and investor backlash. The SEC has also made it clear that it is permissible to disclose incidents as immaterial initially, but if this determination changes over time, companies must file an updated disclosure to keep investors informed. Thus, companies have the flexibility to reassess and update their materiality determination as new facts come to light.

A practical approach to materiality and cybersecurity disclosures

So, how can companies improve their cybersecurity disclosures? Here are some key questions* they can ask themselves to develop a more thorough process for determining materiality:

1. Financial Impact: How did the incident affect sales, revenue, and costs? How will it affect these metrics going forward? For example, did the company have to make ransomware payments?
2. Operations: Were any critical systems compromised or impacted? Was there any downtime in key operations?
3. Data Security: Was any data lost or stolen? What type of data was compromised, and how many records were affected?
4. Reputation: How did the incident affect relationships with customers, partners, or vendors? What was the public and media perception of the event?
5. Compliance: Was the company in compliance with regulatory requirements when the incident occurred? Did it affect the company’s compliance standing going forward?
6. Litigation Risk: Is there a risk of shareholder litigation or regulatory fines as a result of the breach?

These questions help frame a more comprehensive materiality assessment, ensuring that companies aren't just offering vague or minimal details in their reports. By making the right disclosures, they can maintain investor confidence and minimize regulatory risks.

Looking ahead

The SEC’s new cybersecurity disclosure rule represents a significant shift in how companies are expected to handle cybersecurity transparency. Public companies will need to develop and refine processes for assessing and reporting cybersecurity incidents, ensuring they meet the SEC’s materiality and timeliness standards. For investors, the rule promises better access to consistent, comparable information on cybersecurity risks, which could influence long-term investment decisions. As cybersecurity threats continue to evolve, the SEC’s increased focus on cyber risk governance is an important step in ensuring that companies remain accountable for safeguarding their digital assets.

*Source: JD Supra, The SEC’s Cybersecurity and Disclosure Rules: What Companies Need to Know, JD Supra, November 1, 2024 (discussing the key questions around the SEC's updated cybersecurity disclosure rules)