As the Cybersecurity and Infrastructure Security Agency (CISA) continues through a lengthy rulemaking process to establish requirements for cybersecurity incident reporting by certain critical infrastructure entities, the Securities and Exchange Commission (SEC) on Wednesday published a final rule directing public companies to disclose material cyber incidents, and their plans to identify and manage risks from cyber threats.
The Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule goes into effect 30 days after it is published in the Federal Register. It requires public disclosure of cybersecurity incidents, including their nature, scope, and timing, within four business days of determining the event to be material.
Companies may delay incident disclosure if the U.S. Attorney General finds that reporting an event to the SEC “would pose substantial risk to national security or public safety,” the SEC said.
CISA is focused on creating greater situational awareness of cyber threats for itself, the government, and the private sector, so that information about threats can be shared quickly and widely and cyber-attacks and intrusions can be stopped. The SEC’s interest in cyber incident reporting and the steps public companies are taking to protect themselves from cyber threats is narrower—protecting investors.
“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” SEC Chairman Gary Gensler said in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
CISA is developing its cyber incident reporting rule at the direction of Congress, which passed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and was signed by President Biden in 2022. The law covers cybersecurity incidents and ransomware payments.
A draft rule from CISA is expected in March 2024 and a final rule in September 2025.
The private sector is concerned about duplicative cyber incident reporting requirements and having multiple federal agencies to report to, creating compliance challenges and adding costs to meeting the regulations.
CISA Director Jen Easterly this spring told Congress that she is sympathetic to industry’s concerns and highlighted that CIRCIA accounts for duplication in reporting by having federal agencies work together to ensure a company does not report an incident twice (Defense Daily, April 27). She also said that CISA and the SEC have spoken about their respective cyber incident reporting needs, adding that “I’m sure we’ll end up, I hope we’ll end up in a good place.”
Some industries are already required to report cybersecurity incidents to federal agencies. The Transportation Security Administration, which like CISA is an operational component of the Department of Homeland Security, has cyber incident and related risk management requirements for the pipeline, rail, and aviation sectors.
On Wednesday, TSA issued an updated security directive for oil and natural gas pipeline security that was developed with input from industry stakeholders and federal partners, including CISA and the Department of Transportation. The directive still requires incidents to be reported to CISA, annual updated security assessment plans to TSA, annual results from prior year assessments, and testing of at least two cybersecurity incident response plan objectives.