Public companies will be required to disclose material cybersecurity events within a four-day window, according to newly adopted, tightened reporting rules from the Securities and Exchange Commission (SEC).That four-day reporting period could keep managed security service providers (MSSPs) and managed service providers (MSPs) on their toes. In some cases, the service providers themselves could be publicly held companies. In other cases, publicly held customers may call on their MSSPs and MSPs to help rapidly document an incident.Additionally, the reporting requirement could confuse critical infrastructure owners and operators, who must report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within three days. It could also clash with a one-day requirement following a ransom payment.SEC Chair Gary Gensler commented on the new rules:“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Reporting Process Detailed
The Wall Street watchdog said in a 3-2 vote that registrants will be required to report a security incident in an 8-K document within four business days and also disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance to better inform investors, the SEC said.The rules were first proposed more than a year ago. Congress has gone through a number of bills before arriving at the Cyber Incident Reporting Act that served as a key element of the current rules, which are hinged on "material" events. In addition, there’s been some discussion among legislators and cyber leaders on charging fees to entities, including service providers, for failing to report incidents.According to the SEC, a material event is one that would require the company’s shareholders to consider along with other information when or if making an investment.The regulations will also require reporting of the following:- Describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
- Registrants must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats.
- Describe material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
- Annual report of the board of directors’ oversight of risks from cybersecurity threats.
- Annual report of management’s role and expertise in assessing and managing material risks from cybersecurity threats.




