The impact of SEC’s cybersecurity disclosure changes on public firms

SEC

The US SEC has made significant clarifications regarding its new cyber incident disclosure rules, which came into effect yesterday.

According to Security Week, originally announced in late July, these rules mandate public companies to disclose any material cybersecurity breach within four business days of its discovery. Additionally, annual reports must now include details on cybersecurity risk management, strategy, and governance.

The SEC’s initiative aims to provide investors with timely and consistent information, aiding in informed investment and voting decisions. This comes in the wake of concerns that such disclosures could inadvertently aid threat actors by revealing critical information.

Erik Gerding, director of the SEC’s Division of Corporation Finance, in a recent blog post, highlighted key aspects of these rules. He emphasized the shift towards focusing on the material impacts of incidents rather than extensive technical details. This approach seeks to prevent inadvertently aiding future cyber attacks by withholding specific technical information about the company’s incident response or vulnerabilities.

Gerding also addressed concerns regarding the ‘four business day’ disclosure requirement. He clarified that initial notifications to the SEC need not be comprehensive, allowing companies to submit additional details later. The final rule version has been adjusted to reduce undue pressure on companies, such as removing the requirement for board members to have cybersecurity expertise.

Furthermore, the SEC has made provisions for companies to delay disclosure if it poses a substantial risk to public safety or national security. Organizations can request exemptions, and the Justice Department, along with the FBI, can grant delays of up to 120 business days, with longer delays requiring SEC approval.