Cybersecurity rules passed in July of this year by the Securities and Exchange Commission will come into effect on Dec. 18 for large, publicly traded companies; smaller companies get an extra 90 days to comply. The new rules aim to bring some consistency to the ways companies report data breaches and bring more clarity to the methods these companies use to mitigate these types of risks.

Under the rules, companies have just four days to file a public report with the SEC and disclose a “material” cyber incident. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Companies must include the nature, scope and timing of the incident and its likely impact on the company. The only exception to this rule is if a cybersecurity incident is determined to pose a substantial risk to national security or public safety and warrants a delay. Still, a request for delaying the disclosure must be filed with the SEC by the company, and only the United States Attorney General can grant a delay.

Further, the new rules require publicly traded companies to describe their processes to secure their data and operations from cyber threats, as well as their expertise in assessing and managing these risks. This part will be done in a company’s annual report filing to the SEC.

It probably comes as no surprise that some companies have expressed concern about the short — four-day — window to determine whether or not an incident is material and then report it to the SEC. Until recently, some companies took months to report a breach and only did so after they had completed their investigation. There can be many reasons for delay.

“Within four days of determining that a breach is material, the company may or may not have expelled the attacker and patched the vulnerability or the vector that caused the incident in the first place,” Harry Geiger, an attorney at the Center for Cybersecurity Policy and Law, said in an interview with Cyberscoop. “Disclosure of a breach may tip off other attackers to a vulnerable system, and if an attacker remains in an affected system, they may attempt to grab whatever data is available to them or burn down any infrastructure they have access to.”

Publicly traded companies may be hesitant to release such information before they’ve had a chance to repair the damage because of a possible impact on share price. Last month, when cybersecurity specialist Okta reported a security breach, its stock price dropped 11% in the same afternoon.

As for determining whether an incident is material or not, the SEC issued these guidelines. Consider the size of a breach — how much data was stolen and from how many customers. If the cyber incident results in significant financial losses, such as litigation costs, regulatory fines or lost revenue, it’s more likely to be material. The average cost of a data breach in 2023 is $4.5 million, according to IBM’s Cost of a Data Breach Report 2023. But it’s not only money; loss of reputation counts too. This if often tied to a breach involving personal data such as credit card numbers and login information. If the breach compromised this type of data and lots of it, the incident is likely material. And finally, if the incursion disrupted operations — remember MGM? — it’s probably material.

Businesses would be wise to prepare for the new rules by assessing the programs they have in place and looking for areas that need attention. To get an idea of how to put dollar figures on cybersecurity incidents, take a look at https://howmaterialisthathack.org, which includes a breakdown of cost estimates for MGM, Clorox and Caesars incidents along with their SEC filings.

Leslie Meredith has been writing about technology for more than a decade. As a mom of four, value, usefulness and online safety take priority. Have a question? Email Leslie at asklesliemeredith@gmail.com.

Newsletter