Today, the Commission is considering adopting final rules regarding cybersecurity disclosures by public companies. I am pleased to support these rules because they will enhance and standardize disclosures to investors with regard to public companies’ cybersecurity practices as well as material cybersecurity incidents.
Increasingly, cybersecurity risks and incidents are a fact of modern life. When material incidents occur, they can have a range of consequences—including financial, operational, legal, or reputational.
Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.
Thus, this adoption will enhance public companies’ cybersecurity disclosure in two ways.
First, the rules will require periodic disclosures regarding companies’ risk management, strategy, and governance with respect to cybersecurity risks. This will help investors more effectively assess these risks and make informed investment decisions.
Second, the rules will require disclosure of material cybersecurity incidents. Many public companies already do this, but it’s not done consistently. Thus, today’s final rule will require that if public companies determine that they have experienced a material cybersecurity incident, they must disclose it in a Form 8-K filing. Companies will be required to do so within four business days, consistent with other Form 8-K reporting requirements. To be clear, the disclosure obligation will arise only after the company determines a cybersecurity incident was material, not simply after the incident has occurred.
Congress recognized the benefits to investors of current reporting in enacting the Sarbanes-Oxley Act of 2002. Through the Act, Congress required companies to “disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer… as the Commission determines … is necessary or useful for the protection of investors and in the public interest.”
In 2004, implementing Congress’s mandate, the Commission adopted rules expanding current reporting on a range of matters. Today’s rules will add material cybersecurity incidents to the list of current reporting requirements.
The rules will include limited delays for disclosures of material cybersecurity incidents that the U.S. Attorney General determines could pose a substantial risk to national security or public safety. Further, the adopting release provides that if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through possible exemptive orders.
In response to public comment, today’s adopting release streamlines required disclosures for both periodic and incident reporting. For example, the final rules will require issuers to disclose only an incident’s material impacts, nature, scope, and timing, whereas the proposal would have required additional details, not explicitly limited by materiality.
In considering today’s cyber-related disclosure rules, I am guided by the concept of materiality. Our markets depend on a basic bargain: Investors get to decide which risks to take so long as companies raising money from the public make full, fair, and truthful disclosure. Thus, if an issuer has a material cyber incident, then under today’s final rules, the issuer will need to disclose material information about that material incident.
Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.
Over the generations, our disclosure regime has evolved to meet investors’ needs in changing times. Today’s adoption marks only the latest step in that long tradition.
Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.
I’d like to thank the members of the SEC staff who worked on these final rules, including:
- Mellissa Duru, Elizabeth Murphy, Luna Bloom, Nabeel Cheema, Ian Greber-Raines, Valian Afshar, Katherine Bagley, Irene Paik, Adam Turk, Rolaine Bancroft, Arthur Sandel, Michael Coco, Thomas Kluck, Chris Windsor, Robert Errett, Pearl Crawley, Terrance Brown, Erick Negron, and Nicholas Walters in the Division of Corporation Finance;
- Erin Smith, Vlad Ivanov, Albert Sheen, Connor Hurley, Rebecca Orban, Charles Woodworth, PJ Hamidi, and Gregory Scopino in the Division of Economic and Risk Analysis;
- Bryant Morris, Dorothy McCuaig, Joe Valerio, Ken Alcé, Andy Grant, Jeff Berger, and David Lisitza in the Office of the General Counsel;
- Arsen Ablaev, Melissa Hodgman, Carolyn Welshhans, David Hirsch, Jorge Tenreiro, and Amy Hartman in the Division of Enforcement;
- Keith Cassidy, Ian Greber-Raines, Alexis Hall, and Dan Dewaal in the Division of Examinations;
- Shaz Niazi and Mark Jacoby in the Office of the Chief Accountant;
- David Joire and Rachel Kuo in the Division of Investment Management; and
- Ed Schellhorn and Devin Ryan in the Division of Trading and Markets.
 Both staff and the Commission have previously issued guidance to public companies about cybersecurity disclosure obligations under current rules. However, staff have observed that this has not resulted in sufficiently consistent, comparable, and decision useful disclosures. See Securities and Exchange Commission Division of Corporation Finance, “CF Disclosure Guidance: Topic No. 2” (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. See also Securities and Exchange Commission, “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (Feb. 26, 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf.
 The materiality determination must be made “without unreasonable delay” after discovery of the cybersecurity incident.
 The Commission created Form 8-K in 1936 as the form to be used by companies to file “current” reports when specific extraordinary corporate events occur. The Commission has amended Form 8-K several times in the last four decades to change the 8-K format and timing and the events that would require reporting. For example, refer to the discussion in the 2002 proposing release for what became the 2004 adoption expanding Form 8-K requirements. See Securities and Exchange Commission, “Proposed Rule: Additional Form 8-K Disclosure Requirements and Acceleration of Filing Date” (June 17, 2002), available at https://www.sec.gov/rules/proposed/33-8106.htm#P46_4067.
 SOX Section 409, adding Section 13(l) to the Exchange Act.