Regulators have decided to revise the guidelines for reporting significant cyber incidents.

Regulators have decided to revise the guidelines for reporting significant cyber incidents.

The Securities and Exchange Commission (SEC) has approved a measure to require public companies to disclose material cybersecurity incidents within four business days, as part of a wider effort to improve disclosure of cybersecurity attacks and data breaches.

The new rules, which come into effect in 2025, are considered credit positive for public companies by Moody's Investors Service due to the transparency they provide. Lesley Ritter, SVP for Moody's Investors Service, stated that the new rules will provide more transparency into cybersecurity risks and more consistency and predictability.

Under the new regulations, companies must disclose material incidents affecting their operations on Form 8-K (Item 1.05), and provide detailed information on their cyber risk management strategies, board expertise related to cybersecurity, and third-party risks in their annual Form 10-K filings. Boards must certify cybersecurity expertise or explain any gaps, and companies must disclose if material incidents affecting third-party vendors impact their operations.

The four-day disclosure deadline for material cyber incidents after discovery and materiality determination is a key aspect of the new rules. Reporting must include timing, nature, scope, and actual or reasonably anticipated impacts on the company’s financial condition and operations. Technical response details may be withheld if disclosure would hamper remediation efforts.

The rules also emphasize transparency on cyber risk governance, including board-level accountability. Ongoing disclosure obligations related to cybersecurity risk management and vendor incidents affecting operations are also required.

Regarding exceptions or accommodations for smaller reporting companies (SRCs), the search results do not specify explicit exceptions in the 2025 rules. However, given the enhanced focus and penalties, smaller companies may face challenges but must comply unless otherwise stated by the SEC.

The effective dates and compliance timeline are as follows:

• Cybersecurity incident disclosure deadline: applies to incidents in fiscal year 2025 onward.
• Annual 10-K cybersecurity-related disclosures also begin with fiscal year 2025 filings.
• Immediate board accountability requirements start in 2025.
• Compliance enforcement and penalty provisions take effect concurrently.

Smaller reporting companies will have an additional 180 days before they have to report material incidents on Form 8-K. The U.S. attorney general can delay disclosures if the incident poses a substantial risk to national security or public safety, as part of the adopted SEC requirements.

The SEC's adoption of these cybersecurity rules followed intense debate among the agency leadership. Commissioners Hester Peirce and Mark Uyeda opposed the adopted SEC requirements, with concerns about them being overly burdensome and potentially providing a roadmap to hackers about the success of their attacks. There were dissenting opinions related to the proposed SEC rules, with concerns about potentially tipping off malicious hackers if a public company disclosed details that could help an adversary confirm whether an attack was actually working.

Increased disclosure under the new rules is expected to help companies compare practices and may spur improvements in cyber defenses. The SEC previously reached a $3 million settlement with software firm Blackbaud for making misleading comments on a 2020 ransomware attack.

In late June, the SEC notified SolarWinds of possible enforcement action related to statements made by the CFO and CISO about the company's cybersecurity practices in connection with the 2020 attacks by Russia-backed hackers. The SEC's new cybersecurity disclosure regime imposes rapid, comprehensive reporting obligations on public companies, including material incident disclosure within four business days and annual strategic disclosures, with strong board accountability, and no clear formal carve-outs or exceptions for smaller reporting companies indicated in the search results.

1. The new cybersecurity rules, effective in 2025, require public companies to disclose material cybersecurity incidents within four business days, including details about the timing, nature, scope, and financial impacts.
2. Moody's Investors Service considers these transparency measures credit positive for public companies, as they provide more information about cybersecurity risks and risk management strategies.
3. Companies must also disclose their board expertise related to cybersecurity, third-party risks, and any gaps in cybersecurity expertise in their annual Form 10-K filings.
4. Smaller reporting companies will have an additional 180 days before they have to report material incidents on Form 8-K, but may still face challenges due to the enhanced focus and penalties.
5. The SEC's new cybersecurity disclosure regime may help companies compare practices and potentially spur improvements in cyber defenses, as seen in the SEC's $3 million settlement with software firm Blackbaud for misleading comments on a 2020 ransomware attack.

Read also: