SEC Requires Companies to Disclose Cyberattacks

Data breaches increased 600% over the last decade, to 188 in 2021 from 28 in 2011

Published |Updated
Rocio Fabbro
Gensler of the SEC: The agency “is very much focused on institutional insider trading and what they view as abusive or aggressive practices in the context of public companies,” says a former federal prosecutor.Win McNamee/Getty Images

The Securities and Exchange Commission adopted new rules Wednesday requiring companies to publicly disclose cyberattacks.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

Registrants will now be required to disclose cybersecurity "incidents," which generally include cyberattacks, hacks and ransomware demands, within four days of the threat. Companies will have to describe the nature, scope and timing, as well as the impact of the incident.

There will also be requirements for boards of directors to report on their processes for assessing, identifying, and managing cybersecurity risks and threats on an annual basis.

Data breaches increased 600% over the last decade, to 188 in 2021 from 28 in 2011, according to data provided by the commission. Last year, 83% of organizations experienced more than one data breach with an average cost of $9.44 million. Some estimates put the total costs to the U.S. economy as high as trillions of dollars per year.

There were previously no disclosure requirements relating to cybersecurity risks. 

“The final rule will change that, and provide investors with more timely, standardized, and informative disclosures, which will reduce market mispricing and information asymmetries,” SEC Commissioner Jaime Lizárraga said in a statement ahead of the vote.

The commission also adopted rules requiring foreign private issuers to make similar disclosures.

