Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

SEC Adopts New Rule on Cybersecurity Incident Disclosure Requirements

Boards must now file notice of a "material incident" within four business days, though questions remain.

Evan Schuman, Contributing Writer

July 26, 2023

2 Min Read
Two blue keys with the words Full Disclosure.
Source: alon harel via Alamy Stock Photo

The Securities and Exchange Commission (SEC) has adopted a rule "requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance," according to an SEC statement released today.

"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," said SEC chair Gary Gensler. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."

The rule itself noted that "under-disclosure regarding cybersecurity persists despite the Commission's prior guidance; investors need more timely and consistent cybersecurity disclosure to make informed investment decisions; and recent legislative and regulatory developments elsewhere in the Federal government, including those developments subsequent to the issuance of the Proposing Release such as CIRCIA and the Quantum Computing Cybersecurity Preparedness Act, while serving related purposes, will not effectuate the level of public cybersecurity disclosure needed by investors in public companies."

The new rule requires a Form 8-K to be filed within "four business days of determining an incident was material." However, the SEC, similar to the General Data Protection Regulation and US state data breach disclosure rules, does not specify the criteria enterprises should apply when deciding whether an incident is material or when the disclosure clock starts ticking.

As to what makes an incident material, the SEC is defining it slightly differently than it has on other matters. Traditionally, material meant anything that is significant enough to likely move the stock price — so a $20 million acquisition might be material for a smaller company but not for a much larger one. In the July 26 cybersecurity rule, the SEC took a slightly more aggressive stance, noting that information is material if it is something the investor would want to know.

"Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the 'total mix' of information made available," the SEC stated. "Doubts as to the critical nature of the relevant information should be resolved in favor of those the statute is designed to protect, namely investors."

The SEC also excluded some specific details.

"This requirement would not extend to specific, technical information about the registrant's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."

About the Author

Evan Schuman

Contributing Writer, Dark Reading

Evan Schuman has tracked cybersecurity issues for enterprise B2B audiences for far longer than he will admit. His byline has appeared in The New York Times, Associated Press, Reuters, SCMagazine/SCMedia, VentureBeat, TechCrunch, eWEEK, Computerworld, and various other technology titles. He's been quoted on security issues in The Wall Street Journal, The Washington Post, Time, American Banker, BusinessWeek, Ars Technica, The Register, CNN, CBSNews.com, USA Today, Boston Globe, Los Angeles Times, Wired, Consumer Reports, and U.S. News & World Report, among others. He is the founding editor for StorefrontBacktalk, and he has consulted on cybersecurity content issues for McKinsey, Wipro, Microsoft, Capital One, BlackBerry, Harvard Business Review, and MIT. Evan has also repeatedly guest lectured on cybersecurity issues for graduate classes at Columbia University and New York University. He can be reached at [email protected], and he's active on Bluesky and Threads.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights