Request InfoApply Now
Academic Programs
Online Executive Juris Doctor Degree
Online Juris Doctor Degree
Non-Degree Seeking Single Courses
California Bar Exam
California Law Degree
Admissions
Admissions Requirements
Technical Requirements
Who Should Attend Law School?
B&P 6061.7 Disclosure
Tuition and Fees
EJD and JD Students
Non-Degree Seeking Students
About The Law School
Accreditation
Contact Us
Informational Webinars and Events
Faculty
How Online Law School Works
FAQs About the Law School
Our Law School History
News and Media
Student Life
Academic Support
Career Services
Graduation
Law Library
Tech Support
Student Community
Student Satisfaction
Alumni
Alumni Resources
Alumni Success Stories
Blog
Careers
Constitutional Law
Dean's Column
Law Student Life
News and Commentary
Contact US

877-757-8189

Student Login

Request InfoApply Now
HomeblognewsNew SEC Rules Require Public Companies to Disclose Cybersecurity Incidents
An illustration of a computer network being attacked with data leak, security breach and more.
NEWS AND COMMENTARY

New SEC Rules Require Public Companies to Disclose Cybersecurity Incidents

January 9, 2024 | Purdue Global Law School

Cybersecurity threats can have a devastating impact on businesses. According to a report from Bitglass, publicly traded companies that suffered a security breach lost 7.5% of their stock value and $742 million market cap on average. It took 46 days for the average company’s stock prices to recover.

Cybersecurity incidents impact stock values in several ways. They typically cause operational disruptions that affect production and lower revenue. There are also direct expenses, such as the cost to recover systems and data, regulatory fines, and lawsuits. Perhaps most significantly, cybersecurity incidents erode customer trust and cause reputational damage.

These kinds of statistics get the attention of regulators. On July 26, 2023, the U.S. Securities Exchange Commission (SEC) adopted new rules requiring public companies to disclose material cybersecurity incidents to investors. Companies must also include information on cybersecurity strategies, risk management, and governance in their annual reports. The rules are designed to provide investors with the timely and consistent information needed to make more informed investment decisions.

Why the Rules Are Needed

Federal securities laws have long required that public companies disclose information on events and risks that investors consider relevant to investment decisions. However, there were no specific requirements for the reporting of cybersecurity incidents. In 2018, the SEC issued guidance on such disclosures, but incidents have not been consistently reported. The new rules close that gap.

The rules are also consistent with other federal regulatory requirements. For example, the Cyber Incident Reporting for the Critical Infrastructure Act (CIRCIA) of 2022 requires organizations in 16 critical infrastructure sectors to report security incidents within 72 hours. The Department of Defense, General Services Administration, and National Aeronautics and Space Administration have proposed amendments to the Federal Acquisition Regulation requiring federal contractors to report cybersecurity incidents.

What Is a Cybersecurity Incident?

The first step toward complying with the rules is to understand what types of incidents must be disclosed. The SEC rules define a cybersecurity incident broadly as any “unauthorized occurrence … that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.” This would include incidents that affect the company’s operations even if no sensitive data is compromised.

A material incident is one “to which there is a substantial likelihood that a reasonable investor would attach importance.” To make the determination, companies must evaluate all relevant facts based on qualitative factors such as reputational harm as well as financial impact. If materiality isn’t immediately clear, companies should continue the analysis as the investigation uncovers additional facts.

Disclosure of Cybersecurity Incidents

Public companies must provide information about material cybersecurity incidents on Form 8-K — the “current report” that must be filed with the SEC to advise shareholders of major events impacting the company. (Foreign private issuers use Form 6-K.) An incident must be reported within four business days after the company determines it is material. The determination must be made “as soon as reasonably practicable after discovery of the incident.”

The report must include:

  • A brief description of the incident, including its scope

  • The date the incident was discovered

  • Whether the incident has been remediated

  • Whether any data was accessed, altered, stolen, or otherwise used

  • The incident’s impact on the company’s operations

If additional information comes to light after submission of Form 8-K, the company must provide updates in their Form 10-Q quarterly reports or Form 10-K annual reports. Additionally, companies must report incidents that “become material in the aggregate.”

Reporting of Cybersecurity Risk Management and Governance

Companies must also disclose their risk management policies in their annual reports. This includes:

  • Internal policies and procedures, including a description of any cybersecurity risk assessment program. In particular, companies must describe policies and procedures for preventing, detecting, and mitigating cybersecurity incidents.

  • Management’s expertise in implementing policies. Specifically, companies must explain which persons are responsible for managing cybersecurity risks and how they are informed about cybersecurity strategies.

  • The role of the board of directors in cybersecurity risk management. This includes the frequency with which board members discuss cybersecurity, how they’re informed of risks, and how they manage risk within the framework of business strategy.

The report should also discuss how cybersecurity risks have affected or will likely affect the company’s operations, and what recovery and business continuity plans the company has in place.

Corporate Criticisms

When the SEC proposed the new rules, public companies argued that four days was inadequate time to gather the information needed for disclosure. They also argued that disclosing incidents publicly before they are fully remediated could give threat actors information that allowed them to expand the attack.

In addition, companies complained that they would have duplicate reporting requirements, particularly if they were in critical infrastructure or defense sectors. However, the greatest concern involved the breadth of SEC regulation — the cybersecurity incident reporting requirements are only a small component of more than 50 proposed rules.

Deadlines Looming

Despite these arguments, the final rules became effective on September 5, 2023. Public companies, except smaller reporting companies (SRCs), were required to begin disclosing cybersecurity incidents as of December 18, 2023. SRCs have until June 15, 2024, to comply. All public companies must begin reporting their risk management and governance policies in their annual reports for fiscal years ending on or after December 15, 2023.

Learn More About New Developments in Law

Stay up to date on the most current legal developments in California and the rest of the nation with Purdue Global Law School.

Purdue Global Law School offers an online Juris Doctor if you wish to become an attorney licensed in California. If you wish to advance your legal education but do not intend to become a practicing attorney, you may consider an online Executive Juris Doctor.

Single law courses are also available to help you explore a particular area of law without committing to a full degree program. Request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.

Filed In:
Notes and Conditions - Please read

JD Program: Study at, or graduation from, this law school may not qualify a student to take the bar examination or be admitted to practice law in jurisdictions other than California. A student who intends to seek admission to practice law in a jurisdiction other than California should visit Purdue Global’s State Licensure and Certifications page for state-specific requirements. Students are highly encouraged to confirm state requirements from the appropriate bar admissions office for their state of residence. 

EJD Program: Except as provided in rule 4.30 of the Admissions Rules (Legal education in a foreign state or country), completion of a professional law degree program at this law school other than for the Juris Doctor degree does not qualify a student to take the California Bar Examination or satisfy the requirements for admission to practice law in California. It may not qualify a student to take the bar examination or to satisfy requirements for admission to the practice of law in any other jurisdiction. A student who intends to seek admission to practice law should visit Purdue Global’s State Licensure and Certifications page for state-specific requirements. Students are highly encouraged to confirm state requirements from the appropriate bar admissions office for their state of residence.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

© 2024, Purdue Global, a public, nonprofit institution.