WASHINGTON – The U.S. Securities and Exchange Commission (SEC) has approved new rules mandating that publicly traded companies must disclose any cybersecurity breaches within four days of their occurrence, if they have the potential to impact the company’s financial standing. However, in cases where immediate disclosure may pose significant national security or public safety risks, a delay is permitted.
The 3-2 vote also brings in an annual requirement for companies to disclose information on their cybersecurity risk management practices and executive expertise in the field. The aim of these new regulations is to protect investors and ensure greater transparency in cybersecurity matters.
In the event of a cybersecurity breach, the disclosure window of four days will only begin once the affected companies have determined that the breach is material. Additionally, the new rules allow the U.S. Attorney General to authorize a delay in disclosure if there is a substantial risk to national security or public safety, with notification to the SEC.
SEC Chair Gary Gensler emphasized the importance of consistent and timely disclosures, whether it involves the loss of a factory in a fire or a cybersecurity incident involving the loss of crucial data. The rules aim to bring clarity and consistency in cybersecurity reporting among public companies.
While the majority welcomed the rules as a way to bring more transparency and motivate companies to bolster their cybersecurity defenses, Republican commissioner Hester Peirce dissented, expressing concerns about the SEC overstepping its authority and potentially exposing sensitive information that hackers could exploit.
The passage of these rules also coincides with a major data breach related to the MOVEit supply chain hack carried out by Russian cybercriminals, impacting numerous organizations and highlighting the importance of prompt disclosures.
The rules were initially proposed in March 2022, with the SEC recognizing the growing risk of breaches due to the increasing digitization of operations and remote work arrangements, and the rising costs incurred by investors from cybersecurity incidents.
While certain critical infrastructure operators and healthcare providers are required by law to report breaches, there is currently no federal breach disclosure law. The new SEC rule seeks to address this gap and enhance cybersecurity disclosure practices across the business landscape.
A recent report by IBM revealed that the average cost to organizations dealing with breaches has risen to $4.5 million, with costs often passed on to consumers whose personal information may have been compromised.
The new SEC rule also acknowledges the impact of third-party applications, as many companies increasingly rely on external cloud services for data management and storage, creating additional cybersecurity risks.