Public companies face new SEC cyber reporting rules

• The SEC spent more than a year deliberating the nuances of the rules and collecting feedback from cybersecurity professionals, companies and other stakeholders.
• The final product took many of the public's concerns into consideration, experts told Axios.

Why it matters: Public companies will soon have a standard for how best to report certain cyber incidents with their investors and shareholders.

• Under the SEC rules, companies will now have to report a cyber incident via an 8-K filing within four business days of determining the incident has had a material impact.
• Before, the obligation to report these incidents was a patchwork. Many companies shared details in 8-K forms already, but the amount of detail in those disclosures varied greatly.

What they're saying: "The commission and maybe the staff, too, noticed that although more cybersecurity disclosures were coming in some cases, it was very uneven," David Martin, senior counsel at law firm Covington & Burling LLP, told Axios.

• "Another principle around these rules was to try to get everybody on the same page," he added.

Details: The final SEC rules vary from the original, highly contested draft rules first proposed in March 2022.

• The final rules don't require companies to appoint someone to the board who has cybersecurity expertise. Instead, companies need to share details in annual reports about who on their management team oversees cybersecurity efforts and must detail any board committees that discuss cybersecurity issues.
• And the SEC added a new exemption for reporting incidents that pose a national security threat. However, only the U.S. attorney general can grant such an exemption.

Between the lines: Many of these changes were made after stakeholders expressed concerns that divulging too much about their cybersecurity systems early in the response process could leave them vulnerable to further attacks.

• However, some of those fears remain.

The big picture: Whether companies are already prepared for these rules largely depends on their size and existing cybersecurity investments, Kaylee Cox Bankston, a partner at law firm Goodwin Procter LLP, told Axios.

• "I don't know that I've spoken to any clients who are excited about the rules and say we really need this," Bankston said. "But some are certainly more prepared than others."

The intrigue: For a lot of companies, adhering to these rules most likely won't require too much additional spending, Matt Gorham, leader of the Cyber & Privacy Innovation Institute at PwC US, told Axios.

• Cybersecurity has long been a top investment for many publicly traded companies, Gorham said, and now they'll just need a plan in place for how to handle a public filing ahead of the next incident.

Yes, but: It's yet to be determined how the SEC rules will work alongside other government cyber reporting requirements.

• While the SEC determined that some requirements from the Federal Communications Commission should take precedence, the agency didn't cover the topic further.
• The Cybersecurity and Infrastructure Security Agency is currently in the rule-making process to determine how new reporting rules for critical infrastructure operators will go into effect.
• "It remains to be seen how much that harmonization will actually be able to occur between these various different regimes," Caleb Skeath, a cybersecurity-focused partner at Covington, told Axios.

What's next: Most companies will need to start complying with the 8-K requirements either within 90 days of publication in the government's Federal Register or by Dec. 18, whichever is later.

• The new 10-K requirements go into effect for fiscal years ending on or after Dec. 15.

Sign up for Axios’ cybersecurity newsletter Codebook here