The wait is over. The Securities and Exchange Commission (SEC) has issued a final rule to enhance and standardize disclosures regarding cybersecurity risk management, governance, and incidents by all companies that are publicly traded on US stock exchanges.

The transparency required by this landmark rule may be useful to some investors and prompt stronger security practices. However, the new requirements to disclose material cyber incidents on a short deadline creates security risks to companies. In comments to the proposed rule, the Cybersecurity Coalition was supportive of cyber risk management disclosures, but raised concerns about requiring premature public disclosure of uncontained or unmitigated security incidents.

The rule is effective Sept. 5. Requirements related to annual reports and cyber incident disclosures begin in mid-December. Smaller companies have an additional six months to comply with the cyber incident reporting requirements. Here are some highlights from the final rule.

Incident reporting

The incident reporting requirement remains largely intact from the proposed rule: Publicly traded companies must report material cyber incidents on Form 8-K within four days of the materiality determination, regardless of whether the incident has been contained or mitigated. Filings on Form 8-K become publicly available via the SEC’s EDGAR system. As a result, the SEC’s rule is unique among cyber incident reporting regulations insofar as the report soon becomes public. As a general matter of best practice, ongoing cyber incidents should be kept quiet until they are contained and the attack vector is closed off, but the SEC’s rule will change this playbook.

The final rule makes two changes to the incident reporting requirement from the proposed rule:

1. The information that must be disclosed has been narrowed to just the material aspects of the incident, such as the material aspects and scope of the incident, and any material impact on the company.
2. The Attorney General (AG) may request, in writing, a delay of disclosure for up to 30 days where the disclosure poses a substantial risk to national security or public safety.

However, neither of these changes addresses concerns that public disclosure of uncontained or unmitigated cyber incidents creates a risk that attackers will be alerted to unpatched vulnerabilities and cause further harm. The AG delay is likely to be exercised only in exceptional cases.

Risk management disclosures

The final rule requires public companies to report annually on cybersecurity risk management and strategy. The requirements have been narrowed somewhat from the proposed rule, most notably by not specifically requiring disclosures  of details regarding prevention and detection activities, continuity and recovery plans, and previous incidents.

The final rule requires public companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, including -- but not limited to:

• Whether and how the described cybersecurity processes have been integrated into overall risk management systems or processes.
• Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes.
• Whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
• Any risks from cybersecurity threats, including from previous incidents, that have materially affected the registrant.
• Any other material information.

Board oversight disclosures

The final rule requires public companies to describe the board of directors' oversight of risks from cybersecurity threats, and to describe the processes by which the board is informed of the risks. Companies must also describe management’s role in assessing and managing material risks from cybersecurity threats. These disclosures must be part of companies’ annual reports.

The final rule did not adopt the proposed requirement for companies to disclose how the board integrates cybersecurity into business strategy, nor the frequency of board discussions on cybersecurity.

Board cyber expertise disclosures

The proposed rule would have required public companies to report descriptions of board members’ expertise in cybersecurity. The final rule did not adopt this controversial proposal. However, this is distinct from the requirement (above) that companies disclose information on the board’s oversight of cybersecurity risk.

***

Overall, the SEC rule is intended to make cybersecurity disclosures to investors more consistent, comparable, and useful for decision making. This reflects the increasing importance of cybersecurity to corporate governance. Publicly traded companies must now adapt to the enhanced transparency required by the rule.

Public companies should prepare to describe their cyber risk management processes and oversight in their public filings. Corporate communications, legal, and security teams will want to work together to establish consistent review and reporting processes.

Public companies will also need to adjust their cyber incident response plans to accommodate the new public reporting deadline. Although existing SEC regulations required disclosure of material cybersecurity incidents, now companies will be expected to disclose such incidents publicly within four days of determining materiality. For security teams, this may mean preparing for escalated or copycat attacks after public disclosure. Legal and communications teams should be part of the incident response process early on and collaborate on the most appropriate messaging for these disclosures.

There are many nuances to the final rule, and we encourage review before the compliance dates. For any questions on the rule or other cybersecurity law and policy matters, please feel free to contact one of our experts.

‍