New SEC Cyber Incident Reporting Rules Now in Effect

Publicly traded companies will now have four business days to report a “material” cyber incident to the U.S. Securities and Exchange Commission (SEC). The SEC’s new set of rules, which were first approved in July 2023, went into effect on 18 December following a comment period that allowed companies, experts, and other interested parties to voice their opinions.

Under the new rules, cybersecurity events (for example, data breaches) must be reported to the SEC within 96 hours in a specific line item on a Form 8-K filing. The 8-K report should include the nature, scope, timing, and material impact of the incident, including financial and operational fallout—allowing organizations to focus on the impact of an event in its report.

To clarify, the clock doesn’t start ticking once a breach or other incident is discovered. Rather, the deadline is set four days from when the company determines that the incident was “material,” given that it is unlikely that an incident’s materiality can be determined the same day it was discovered, according to the SEC.

In a change from the July version of the rules, organizations are not required to include details or information about remediation efforts or status, nor whether any data had been compromised.

The final set of rules is meant to protect investors and facilitate capital formation, according to a statement from SEC director of corporation finance Erik Gerding. “These rules will provide investors with timely, consistent, and comparable information about an important set of risks that can cause significant losses to public companies and their investors. This disclosure can help investors evaluate those risks as they make investment and voting decisions,” according to the statement.

The new rules also cover breaches of third-party systems that may house an organization’s information.

“The regulation represents a significant shake-up for organizations, many of which have argued that the new rules open them up to more risk and that four days isn’t enough time to confirm a breach, understand its impact or coordinate notifications,” TechCrunch reported.

In response to concerns over sufficient time, the rules do offer a few exceptions to the four-day deadline, according to TechCrunch. Smaller organizations (ones that generate less than $100 million in annual revenues) will have a 180-day extension before having to disclose a cybersecurity event to the SEC. Larger organizations can be granted an exception if making the incident public would interfere with an ongoing police or law enforcement investigation.

The SEC will also allow companies to delay reporting an incident if the event becoming public knowledge “would pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General,” according to Gerding’s statement. Rather than trying to disincentivize organizations from working with law enforcement or other agencies in response to a cyber incident, Gerding said he “would encourage public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur.”

But, “it’s unlikely that this method will be used often,” CyberScoop noted, pointing to guidance from the U.S. Department of Justice (DOJ) published on 12 December. The DOJ memo noted that “In many circumstances, the prompt public disclosure of relevant information about a cybersecurity incident provides an overall benefit for investors, public safety, and national security.”

For more information about cyber incident response and recovery, check out Security Management's content collection on the subject from earlier this week.