The Securities and Exchange Commission settled a questionable guideline on Wednesday that will need openly traded business to report product information breaches and other cybersecurity events within 4 days of identifying that the event was “material” — a term that might show evasive to specify.
The guideline, which the SEC proposed in March 2022, will offer financiers and the general public at big a more constant, similar, and decision-useful method” to learn about breaches, according to SEC Chair Gary Gensler, who voted in favor of the final rule.
The key difference between the four-day rule and the many state and federal cybersecurity reporting rules banks already have to follow is that now, public breach disclosures will happen weeks faster than before, and in all jurisdictions.
Public companies do not have to disclose technical specifics of their incident response plans or the potential vulnerabilities involved in the incident by the four-day mark, according to the rule. Rather, they must provide a high-level overview of what took place.
For example, companies must disclose what they do and do not know at the time about the date of discovery and status of the incident (i.e. whether it is ongoing or resolved), what data might have been compromised or altered, the impact of the incident on the company’s operations and ongoing or completed remediation efforts.
The SEC’s final rule differs in at least one important manner from the proposed rule: It will allow companies to delay disclosure if the U.S. Attorney General determines doing so could pose “a significant danger to nationwide security or public security,” according to Gensler. The SEC may also exempt a company from the incident disclosure requirement, he said.
The question that looms largest over the new rule regards what exactly the SEC means when it says “product” cybersecurity incidents, and how courts will interpret the phrase. Given that this is a new rule, there is not a lot of guidance about what is or is not a “product” cybersecurity incident, according to Jennie Wang VonCannon, a partner at the law firm Crowell & Moring.
However, VonCannon said the Supreme Court has weighed in on the comparable matter of what materiality means when it comes to financial statements, holding that an error is “product” if there is “a significant probability that the […] truth would have been seen by the affordable financier as having considerably modified the ‘overall mix’ of details offered,” according to its 1976 ruling in a case called TSC Industries v. Northway.
Public companies have had some time to get an idea of what their peers consider “product,” as many companies have disclosed cybersecurity incidents in 8-Ks for years. SEC staff issued interpretive guidance about publicly disclosing material cybersecurity incidents in 2011, and further guidance in 2018.
The SEC’s final rules, which go beyond the four-day rule and include some annual disclosures in 10-K forms, will become effective 30 days after the adopting release is published in the Federal Register.
“Forms 8-K and 6-K disclosures — in which cyber incident-based reporting needs to be made — will be due on December 18, 2023 or 90 days after the date of publication [of the four-day rule] in the Federal Register, whichever is later on,” VonCannon said. “Smaller reporting business will have an additional 180 days to adhere to their Form 8-K disclosure requirements.”
The exact amount of time it will take for the rule to be published in the Federal Register is uncertain. Last year, the SEC published six final rules, and the time between public release of the rules and their publication in the Federal Register ranged from six to 33 days, according to an analysis by law firm Wilson Sonsini Goodrich & Rosati.
The new rule is the first that banks face at the federal level to publicly disclose material cybersecurity incidents. Banks already disclose breaches to prudential regulators and soon will also report to the Cybersecurity Infrastructure Security Administration, but these are not public disclosures.
Banks also face requirements from states to notify customers affected by data breaches, but only a few of those states require the banks to also disclose such breaches publicly. For example, data breaches that affect at least one resident in Maine get publicly disclosed, and those disclosures include the nature of the consumer data impacted, the date the breach occurred, and the number of U.S. consumers affected.
The SEC did not specify the penalty for noncompliance of its new rule, but the commission has charged companies fines for alleged violations of similar rules in the past. In 2021, the SEC charged three firms with deficient cybersecurity risk management after data breaches affecting between 2,177 and 4,900 consumers. Those penalties ranged from $200,000 to $300,000.
Even after the SEC issued the new rule, it remained controversial. The Bank Policy Institute, a policy research and advocacy group for banks, decried it as potentially “hurting the very financiers it claims to safeguard by too soon advertising a business’s vulnerabilities,” according to Heather Hogsett, senior vice president of technology and risk strategy BPI’s tech policy division.
“No affordable financier would desire early disclosure of a cyber occasion to harmful stars or a hostile nation-state, which might worsen security threats and produce a dish for catastrophe the next time a significant cyber event takes place,” Hogsett said.
Darren Williams, CEO and founder of cybersecurity company BlackFog, “unconditionally” disagreed with BPI, saying it would benefit consumers by giving them more information about breaches.
“I would state these brand-new standards actively avoid business from attempting to hide breaches, a constant pattern over the last couple of years,” Williams said. “The brand-new standards really safeguard financiers by guaranteeing business both acknowledge and respond to these attacks and are not actively working out with the cybercriminals in the background.”