U.S. federal market regulators have approved new rules requiring publicly traded companies to disclose “material cybersecurity incidents” within four business days of determining their significance. The rules, adopted in a party-line vote, will take effect in mid-December for larger businesses and in mid-June for smaller publicly traded companies. The new disclosure rule aims to bring consistency to cyber incident reporting and provide investors with essential information about potential cyber threats.
Additionally, another SEC rule requires public companies to disclose management’s role and expertise in assessing and managing cybersecurity risk, as well as its process for identifying and managing risk, in annual reports.
The incident disclosure rule has been a subject of debate among commissioners, with Democratic commissioners supporting it as a means to help investors assess risks and make informed decisions. They emphasize that cybersecurity incidents can significantly impact a company’s financial operations, and prompt disclosure can lead to more efficient prices, promoting capital formation and public trust in markets.
However, Republican commissioners oppose the rules, expressing concerns that mandatory incident disclosure could give cybercriminals valuable information on which companies to target and when. They argue that such disclosures may mislead uninformed investors without firsthand knowledge of cyberattacks.
The new rules come in response to varied disclosure practices regarding cybersecurity incidents, and the SEC seeks to enhance comparability and consistency in reporting. The regulations also focus on the material impact of cybersecurity incidents rather than specific technical details, aiming to protect investors and ensure market efficiency.
With the growing threat of cyberattacks and their potential financial consequences, the rules aim to improve transparency and encourage companies to take a proactive approach in managing and mitigating cybersecurity risks.
