The Securities and Exchange Commission voted 3-2 to adopt new regulations that would require publicly traded companies to notify the government when their IT systems are hacked and periodically disclose details about their cybersecurity risk governance in public filings.

The rules, first proposed in 2022, were adopted on July 26, 2023, and would compel businesses to notify the SEC within four days of determining that a cybersecurity incident will have a “material” impact on their business operations. They would require information on the nature, scope, and timing of the incident, as well as the “likely” material impact on the registrant’s financial conditions and operations.

The Commission proposed to amend Form 8-K by adding new Item 1.05 that would require a registrant to disclose the following information regarding a material cybersecurity incident, to the extent known at the time of filing:

• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data were stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the registrant’s operations; and whether the registrant has remediated or is currently remediating the incident.

The Commission clarified in the Proposing Release that this requirement would not extend to specific, technical information about the registrant’s planned response to the incident or its cybersecurity systems, related networks, and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident

The regulations would also compel companies to disclose cybersecurity risk management, strategy, and governance in their annual filings. The newly-approved disclosures would include details on how the board of directors oversees risks from cybersecurity threats and identify a board committee or subcommittee responsible for oversight.