Congress established the core framework of our rulemaking process in 1946, when the Administrative Procedure Act passed unanimously into law.[1] This is the foundational framework through which federal agencies, such as the SEC, incorporate feedback from the public. It is a rigorous and invaluable process. And, as is always the case, this process has fundamentally informed the policies that we adopt. So I want to start by thanking the many commenters who weighed in on this rule, who helped magnify the extent of the cybersecurity related risks faced by public companies and their investors, and who helped us crystalize the cybersecurity rule we vote on today.
To give some context, cybersecurity breaches reported by public companies increased by nearly 600% in the last decade and the costs, borne by issuers and their investors, are estimated to be in the trillions of dollars per year in the U.S. alone.[2] The numbers are staggering, and I’m cognizant that even those substantial measurements do not tell the whole story. Cybersecurity intrusions can go beyond the loss of sensitive information and related remediation; as we saw in the Colonial Pipeline intrusion in 2021, they can alter the normal course operations of complex, capital- and infrastructure-intensive businesses.
And as the comment file substantiated, knowledge of cybersecurity threats and breaches are essential to understanding a firm. Among other reasons, breaches can (and do) result in loss of revenue, customers, and business opportunities.[3] Those harms may be realized or they may be ongoing in the form of lost sensitive information, remediation costs, and losses in shareholder value.[4]
Despite the consensus on the harmful nature of cyber incidences, commenters highlighted that existing disclosure practices vary in substance, organization, and presentation, thus establishing a need for, and benefit of, comparable, reliable, and decision-useful disclosures to investors.[5]
Today’s rule serves as an important reminder of how our continuous reporting framework incorporates emerging risks – just as it was intended to do.[6] The rule will, among other things, provide investors and market participants across the board with critical information relating to a company’s risk management and strategy, as well as governance, in its periodic reporting. The rule will also enhance the current reporting framework by adding the obligation that a public issuer file a Form 8-K upon experiencing a material cybersecurity incident.[7] And finally, we take the important first step of ensuring adequate disclosure of managements’ cyber expertise. Commenters of all stripes agreed cyber expertise at public companies is critical,[8] and this new disclosure will help ensure investors understand what skillset management brings to bear on the day-to-day oversight and operations related to cyber risks and incidents. Nonetheless the Commission should continue to consider further disclosures, such as whether there is cyber-related expertise on the board.
Congratulations to all of the staff for their tremendous work on this rule. Your dedication, diligence, and thoughtfulness cannot be overstated. Investors and the market alike benefit from your work. Thank you again to all of the staff who worked on this rule, including those within the Division of Corporation Finance, Office of the General Counsel, and Division of Economic and Risk Analysis.
[1] See 92 Cong. Rec. 2167, 5668.
[2] See, e.g., Adopting Release at IV.B.1.
[3] See, e.g., Choudhary, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 3, 2022); American Institute of Certified Public Accountants, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 6, 2023); BitSight, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 6, 2022); Better Markets, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 9, 2023); CalPERS, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 9, 2023); Crindata, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 9, 2023); CII, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 9, 2023); NASAA, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 9, 2023); Information Technology & Innovation Foundation, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 9, 2023); Rajgopal & Sharpe, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 9, 2022). See also Adopting Release at I., IV.A., IV.C.1
[4] See, e.g., Adopting Release, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Rel. No. [] at n. 460 (July 25, 2023) (“Adopting Release”); Choudhary, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 3, 2022); Rajgopal & Sharpe, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 9, 2022).
[5] See Adopting Release at 119. See also BitSight, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 6, 2022) (“Cybersecurity is a critical risk that can materially impact a company’s long-term value and sustainability, and increased disclosure will improve the ability of investors and other market participants to assess and price cyber risk. We concur with the Commission that investors would benefit from more timely, consistent and informative disclosure about cybersecurity risks and incidents”); Better Markets, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure at 6-7 (May 9, 2023) (“[d]espite the serious risk posed by cybersecurity to a business’s operations, reputation, and financials, investors are often left to search for piecemeal disclosures regarding cybersecurity risks, policies and procedures, and incidents that management may elect to make in various places in a company’s annual and quarterly reports.”); CalPERS, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure at 4 (May 9, 2023) (“The Proposed Rule is needed to provide clarity regarding what, when, and how to disclose material cybersecurity incident information. Commission staff appropriately noted that current reporting is ‘inconsistent, may not be timely, and can be difficult to locate.’ The improved standardization of disclosures included in the Proposed Rule adds clarity to the reporting process”); CII, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure at 3 (May 9, 2023) (“The lack of timely, comprehensive disclosure of material cyber events exposes investors and the community at large to potential harm”); NASAA, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure at 2 (May 9, 2023) (“This is an area in which the existing guidance has not led to clear and consistent reporting by public companies”).
[7] See Adopting Release at II.A.
[8] See Adopting Release at n. 292. A bi-partisan group of U.S. Senators authored a letter in support of the disclosure of board member cybersecurity expertise, if any. See Senator Reed, Senator Cortez-Masto, Senator Cramer, Senator King, Senator Wyden, Senator Warner, Senator Collins, Comment Letter on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (May 9, 2022).
GIPHY App Key not set. Please check settings