SEC Adopts New Rules Requiring Disclosure of Cybersecurity Incidents


The Securities and Exchange Commission (SEC) has adopted new rules requiring public and foreign private companies to disclose all material cybersecurity incidents.

The new rules will also require the companies to detail their risk management, strategy and governance on a yearly basis, the SEC said in a Wednesday (July 26) press release.

The SEC is attempting to enhance investors’ understanding of material cybersecurity risks, allowing them to allocate capital more efficiently, according to the release.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in the release. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

The new rules will require registrants to list any material cybersecurity incident on the new Item 1.05 of Form 8-K and provide details, such as the nature, scope, timing, and effect of the incident, according to the press release.

The new Regulation S-K Item 106 will require registrants to explain their processes for assessing, identifying and managing material risks from cybersecurity threats, the release said. This includes the material effects of both past and present threats. Investors must also be informed of the board of directors’ oversight of these risks and the management’s role in managing them.

The final rule will become effective 30 days after their publication in the Federal Register, per the release.

“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them,” Gensler said in the release.

The SEC proposed amendments to its rules on cybersecurity risk management, strategy, governance and incident reporting by public companies in March 2022, with Gensler saying at the time: “Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs.”

PYMNTS research has found that fraud attacks on financial institutions and other commercial entities are on the rise. A range of fraud types are on the rise globally, and providing seamless payments experiences within a secure environment is a daunting challenge, according to the “Payments Security Amid Uncertainty Playbook: Fighting Fraud and Crime With Digital Innovation,” a PYMNTS and Citi collaboration.