breaching boundaries

The SEC is giving companies four days to report cyberattacks

Critics question whether the new rules might do more harm than good

We may earn a commission from links on this page.
Report rapidly.
Report rapidly.
Illustration: Kacper Pempel (Reuters)

The US Securities and Exchange Commission (SEC) wants public companies to be more transparent and forthcoming about “material cybersecurity incidents,” the federal agency said yesterday (July 26).

Its new rules, passed by a 3-2 vote, dictate companies must disclose details of incidents and their effect on the bottomline in a section of the Form 8-K, a broad form companies use to notify shareholders of major events, within four days of a cybersecurity event.


A delay in filing will only be allowed if the US Attorney General determines that “immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing,” the SEC said.

Final rules, which will be signed into the Federal Register later this year, will apply to big companies within 30 days. Smaller companies will be given a more generous deadline—180 days—to comply.


One big number: Growing cybersecurity threats

Nearly 600%: Increase in cybersecurity breaches reported by public companies in the last decade, from 28 in 2011 to 188 in 2021. Costs associated with the breaches, borne by issuers and their investors, amount to trillions of dollars per year in the US alone. And the monetary cost isn’t everything. “Cybersecurity intrusions can go beyond the loss of sensitive information and related remediation...they can alter the normal course operations of complex, capital- and infrastructure-intensive businesses,” SEC Commissioner Caroline A Crenshaw said yesterday.

Quotable: Cybersecurity damage

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident—it may be material to investors. Over the generations, our disclosure regime has evolved to meet investors’ needs in changing times. Today’s adoption marks only the latest step in that long tradition.” SEC chair Gary Gensler


The pros and cons of SEC’s new cybersecurity reporting rules

👍 Standardization in reporting. Companies can no longer cherry-pick which incidents to report and withhold details. In addition to expeditious 8Ks, the new rules also require firms to annually disclose information on their cybersecurity risk management and executive expertise.


👍 Broader industry benefits. Timely reporting “can serve as an alert to companies in the same sector that malign actors are launching cyber-attacks,” according to SEC commissioner Jaime Lizárraga, giving them “more time to raise their cyber defenses and to mitigate any potential damage.”

👎 Disproportionate obligations for cybersecurity matters. The same level of disclosure is not needed for customer acquisition and retention, product development, innovation, globalization, competitors, regulatory approvals, taxes, supply chain management, and more. “Compared to cybersecurity, these other risks likely have a greater effect on the company’s financial performance and, accordingly, its stock price,” argued SEC commissioner Mark T. Uyeda, who considered the new disclosure requirements involving potential remediation costs, potential loss of customers and revenue, and more, to be excessively burdensome.


👎 Timeline too tight. The reduced timeline risks shifting companies’ focus on disclosure over handling and curbing the attack, according to Uyeda. Plus, premature public disclosure of potentially incomplete and could also “result in uncertainty of vulnerabilities at other companies...resulting in widespread panic in the market and financial contagion,” he added.

👎 Outside of SEC’s gambit. The SEC is asking for granular disclosures and creating a cybersecurity checklist it “is not qualified to write,” as per SEC Commissioner Hester M. Peirce. Eventually, “the temptation to micromanage their operations will only grow.”


👎 Aiding cyber thieves. Criminals could use disclosures as a “roadmap on which companies to target and how to attack them,” Peirce warned. Estimates of financial fallout could indicate the ransom the attacker can get. Stock indices New York Stock Exchange and Nasdaq have expressed similar concerns.

Related stories

💥 A Russian cyber gang is threatening to publish the payroll data of 100,000 people


🤌 US government agencies are failing to meet even basic cybersecurity standards

🎯 A US radioactive waste storage facility was one of the targets of the global CLOP hack