Navigating New Terrain: SEC’s Cyber Incident Reporting Rules and What They Mean for Public Companies

The global average cost of a data breach was $4.35 million in 2022, and companies need to be aware of the latest technological and regulatory trends to ensure a baseline organizational readiness to keep the company on strong footing and assuage the concerns of their many stakeholders, namely investors. 

We spotlight the investor audience given the SEC’s commitment to this course as evidenced by the regulatory body’s new rules for how public companies report significant cybersecurity breaches. The new rules highlight the necessity of full disclosure with the public interest primarily in mind, but companies have taken umbrage with the details.  First, what is the standard gauge for what constitutes a significant incident, and second, the fear that with full disclosures around incidents and preparedness measures, they would be telegraphing to the very groups they are working to defend themselves against. All these concerns underscore the need for companies to maintain a comprehensive business continuity and crisis response plan.

The New SEC Cybersecurity Incident Rules

When the SEC adopted new rules requiring publicly traded companies to report cyberattacks, they set the shot clock for reporting the incident at four business days if the company makes the determination that the attack will have a “material impact” on the business. These companies will have to file an 8-K form with the SEC. 

Organizations will also have to file annual disclosures in their Form 10-K, including information about their processes for managing cybersecurity threats and how much these risks are impacting their bottom line. This piece is what will prompt any public company without at least a basic organizational readiness and response plan in place to act swiftly in doing so. Most public companies will be required to comply with the Form 8-K incident disclosure requirements beginning on the later of December 18, 2023, and 90 days after the final rule is published in the Federal Register.

The SEC chair, Gary Gensler, stated: “Whether a company loses a factory in a fire, or millions of files in a cybersecurity incident, it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Industry Reactions to The New Cybersecurity Rules

As mentioned, the rules have met resistance with several companies pushing back against the proposed cybersecurity rules including Chevron, Quest Diagnostics, and Ernst & Young LLP. The SEC has argued that past cybersecurity reporting has been lackluster, with a staggering 90% of known cybersecurity incidents going undisclosed in regulatory filings in 2018. 

At the same time, many organizations have expressed concern about the rules. Some have suggested that disclosing cybersecurity incidents within four days would be too much of a “heavy lift” for companies, while others contend that the public reports could give hackers more information that could lead to additional cyberattacks. Other influential figures have pointed out the rules could leave companies more open to litigation.

The Bank Policy Institute has expressed grave concerns over the SEC’s new rule, arguing that it may inadvertently harm the very investors the agency aims to safeguard. As a prominent bank advocacy organization, the Institute fears that the rule could inadvertently expose sensitive information to malicious actors, placing companies at an even greater risk of cyberattack.

Meanwhile, the U.S. Chamber of Commerce contends that the new regulation stands in direct violation of prior agreements established under the Cyber Incident Reporting for Critical Infrastructure Act. This previous legislation had permitted companies to report cyber incidents to federal authorities confidentially, a measure designed to help thwart future attacks against essential industry providers. 

“We oppose the rulemaking in its current form,” said Christopher Roberti, senior vice president for cyber, space, and national security policy at the U.S. Chamber of Commerce, said in May. “We’d like to see the SEC withdraw it or shelve it.”

5WPR: Your Cybersecurity Incident Strategy Partner

From handling all manner of crises, with deep experience in cybersecurity incidents to investor communications, 5W specializes in the full spectrum of corporate communications for public companies. Understanding the technological, legal, and reputational risks, we guide companies through the complexities of compliance with the SEC’s new regulations without compromising a competitive edge or security posture.

We build customized preparedness plans for a range of public companies – from small-cap to mega-cap companies.  Our plans cover the bases from a deep audit of an organization’s toolkit for responding to a cyberattack, from their incident response plans and communications channels, team makeup, decision rights, tech stack, and messaging.  We conduct extensive stakeholder mapping, scenario planning, material development, and audience-specific messaging to arrive at a comprehensive, actionable plan that the established team can turn to for quick reference should an adverse cyber event occur.  No plan replaces the benefit of a live response team in the event of an active crisis, but our plans have brought comfort to the c-suite, helped companies respond effectively, mitigate crises, get back on the road to recovery, and now, with the new SEC rules, keep them compliant.