SEC Issues Final Cybersecurity Disclosure Rules for Public Companies
August 5, 2023
The Securities and Exchange Commission (SEC) finalized new rules last week by a vote of 3-2 that will require public companies to disclose more information about cybersecurity-related incidents, risk management, strategy, and governance. A joint comment letter by The Real Estate Roundtable and Nareit about the SEC proposal was cited nearly a dozen times in the final rule. (SEC fact sheet | Roundtable-Nareit comment letter, May 9, 2022)
The Roundtable and Nareit expressed a number of concerns in their May 2022 letter about the proposed rule’s rigid incident reporting deadlines and granular requirements, which the industry organizations stated may unintentionally exacerbate cybersecurity risks for issuers while imposing unjustified burdens. (Roundtable Weekly, May 13, 2022)
Under the new rules, registered companies must report cyber-attacks by filing an 8-K form with the SEC within four business days, which The Roundtable and Nareit objected to in their joint letter.
Responding to these concerns, the SEC stated in its final rule that it is “… providing for a delay for disclosures that would pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General, who may take into consideration other Federal or other law enforcement agencies’ finding.” (Pensions and Investments, July 26)
The SEC also responded to industry concerns by stating it had “streamlined” its requirements on cyber-attack disclosures to focus more on the potential effects, rather than the details of the incident itself. (Wall Street Journal, July 26 | PillsburyLaw and GreenbergTaurig)
The agency states in its final rule, "To that end, to balance investors’ needs with the concerns raised by commenters …The final rules will require the registrant to describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations."
Public real estate companies will also be required to disclose the board of directors’ oversight of cybersecurity threats, identify any board committee (or subcommittee) responsible for cybersecurity oversight, and the processes by which the board or (sub) committee is informed about these risks.
The final SEC rule will become effective on September 5, according to a notice today in the Federal Register. All registered public companies, other than smaller reporting companies, must begin complying by Dec. 18, 2023.
The Roundtable’s Homeland Security Task Force will remain engaged with government officials and private sector partners on industry best practices to detect, protect, and respond to a variety of key threats, including cyber-attacks.