New SEC rule requires public companies to disclose 'material' data breaches in 4 days

The Securities and Exchange Commission (SEC) has pulled back the curtain on a new final rule that requires public companies to disclose within four days all cybersecurity breaches that could impact their bottom lines.

The final rule, adopted Wednesday, starts the clock once “a registrant determines that a cybersecurity incident is material,” but can be bumped back should the U.S. attorney general determine that immediately disclosing the breach “would pose a substantial risk to national security or public safety,” the SEC wrote in its announcement.

Also included is a new annual disclosure in which public companies must describe their cybersecurity processes, directors’ and management’s oversight of such risks and the impacts of previous cybersecurity incidents. Similar disclosures will be required for foreign private insurers.

“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” SEC Chair Gary Gensler said in a release. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”

The rule was first proposed in March 2022, when it was critiqued by hospital groups (PDF) and groups from other industries for the tight deadline and a disclosure’s impact on third-party vendor relationships.

SEC commissioners passed the new rules in a narrow 3-2 vote.

SEC said the rules will go into effect 30 days following publication of the adopting release in the Federal Register. The annual disclosures will be due for fiscal years ending on or after Dec. 15. The incident disclosures will be due the later of 90 days post-publication or Dec. 18.

SEC’s push to protect investors and the markets falls in line with the increasing turmoil cybersecurity breaches have brought to companies. A recent IBM Security and Ponemon Institute report found the average total cost of a data breach rose 2.3% from $4.35 million in 2022 to $4.45 million in 2023.

The threat is more stark within healthcare where the average cost rose 8.2% from $10.1 million in 2022 to $10.9 million in 2023—not taking into account the risks patients face should a hospital's compromised system spread their sensitive data or cut off access to needed care.

Recent weeks alone have seen major hospital chain HCA Healthcare disclose a system breach potentially affecting 11 million patients’ data, which also opened the company up to a handful of class-action lawsuits seeking damages.