The Securities and Exchange Commission (SEC) has adopted rules requiring companies to disclose material cybersecurity incidents and provide annual information on their cybersecurity risk management, strategy and governance practices.
The rules will come into effect 30 days after being published in the Federal Register. Foreign private investors are required to make similar disclosures.
Companies must describe the material aspects of an incident’s nature, scope and timing, along with the material or reasonably likely material impact it has had. The processes that a company has in place to assess, identify and manage cybersecurity threat-related material risks must also be disclosed.
Additionally, the material or reasonably likely material effects of potential and previous cybersecurity incidents must be provided. The board of directors’ oversight over cybersecurity risks, management’s role in the assessment and management of material threats will also be required in an annual report.
Gary Gensler, chair of the SEC, says: “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way.
“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”
