On July 26, 2023,the United States Securities and Exchange Commission (SEC) adopted rules requiring all public companies to:

1) Disclose material cybersecurity incidents that they experience, generally within four business days of such determination.

All public companies, other than smaller reporting companies, must begin complying on the later of 90 days after the date of publication in the Federal Register or December 18, 2023.  Smaller companies are given an additional 180 days. New Form 8-K Item 1.05 will require companies to disclose any cybersecurity incidents they determine to be material and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.

2) Disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

All public companies must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.  New Regulation S-K Item 106 will require companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 will also require companies to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

We must notice the urgency of the ruling: the SEC adopted it on July 26, 2023 and required implementation of it by mid-December 2023. Also that the SEC makes all public companies – big or small - responsible for making those disclosures.

The SEC was concerned with the statistics, which it presented as justification for the ruling:

• The number of reported breaches disclosed by public companies has increased almost 600 percent over the last decade.
• Some estimates put the economy-wide total costs as high as trillions of dollars per year in the U.S. alone.
• The U.S. Council of Economic Advisers estimated that in 2016 the total cost of cybersecurity incidents was between $57 billion and $109 billion, or between 0.31 and 0.58 percent of U.S. GDP in that year.
• A more recent estimate suggests the average cost of a data breach in the U.S. is $9.44 million.

The SEC observed that cybersecurity threats and incidents pose an ongoing and escalating risk to public companies, investors, and market participants. 

• Cybersecurity risks have increased alongside the:
  • Digitalization of companies’ operations,
  • The growth of remote work,
  • The ability of criminals to monetize cybersecurity incidents,
  • The use of digital payments,•   and the increasing reliance on third party service providers, including cloud computing.
• Cost to companies and their investors of cybersecurity incidents is rising at an increasing rate.
• Disclosure practices are inconsistent.

The ruling is intended to result in consistent, comparable, and decision-useful disclosure.The SEC requires public companies to disclose any cybersecurity incident they determine to be material and require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats.

The SEC ruling mandates enterprises take immediate actions to get equipped with technologies and practices for reporting - a new challenge that enterprises will face starting immediately.