Although the National Association of Manufacturers and others recently persuaded the U.S. Securities and Exchange Commission to scale back its cybersecurity reporting rule for publicly traded companies, businesses still face new compliance burdens in the months ahead.
Under the final SEC rule, publicly traded companies must disclose cybersecurity incidents they deem material to the public within four days. The goal of the SEC rule is to protect investors who are demanding greater transparency about the increasing number of cyberattacks on companies and the financial harm that these security breaches cause.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said after the rule was adopted on July 26. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
The original draft SEC proposal would have required detailed reporting on companies’ policies and procedures for responding to cybersecurity threats. NAM and other business groups criticized that as providing a roadmap to potential hackers and noted that sharing information about ongoing incidents could compromise efforts to stop an attack.
In the end, the SEC agreed to make some “commonsense adjustments” that give companies greater flexibility, NAM said. The final rule is more tailored than the original draft and reduces the risk that companies will be forced to expose sensitive information. Although the four-day reporting requirement remains, companies can request a 30-day extension if there are public safety concerns or a 90-day extension if there are national security concerns involved.
“Manufacturers were glad to see that the SEC made some adjustments to its rule, but more must be done,” NAM Senior Director of Tax and Domestic Economic Policy Charles Crain said in a statement on Aug. 2. The SEC and the Department of Justice must grant companies the flexibility to delay incident reporting to prevent threats to public safety and national security.”
Publicly traded companies should also be aware of other compliance burdens associated with the SEC’s cyber rule.
As part of the annual report process, companies must provide “sufficient detail for a reasonable investor to understand” a company’s cybersecurity risk management plan. However, companies will not have to detail their specific prevention and detection activities because NAM and other business groups persuaded the SEC to drop that language from the rule.
Information about cybersecurity oversight by their board and management must still be provided in the annual disclosure, but the SEC struck from its final rule a provision opposed by NAM that would have required companies to have a cyber expert on their boards.
Effective dates for the new requirements are as follows:
- New annual cybersecurity risk management and governance disclosure requirements are required for the fiscal year ending on or after Dec. 15, 2023.
- Most public companies will be required to comply with the Form 8-K incident disclosure requirements beginning on or after Dec. 18, 2023.
