Companies shifting disclosures in response to SEC cybersecurity rules

New cybersecurity rules recently approved by the Securities and Exchange Commission are already having their effect on corporate disclosures.

The new rules, approved over the summer (see previous story), expand what entities are required to report regarding their IT security. In general, entities that experience a cybersecurity incident must now disclose the incident within four days. Beyond this, the new rules also require entities to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including those from previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Registrants are also required to describe the board of directors' oversight of risks from cybersecurity threats, and management's role and expertise in assessing and managing material risks from cybersecurity threats.

A recent study from cybersecurity and corporate governance solutions provider ISS Corporate Solutions looked at disclosures from companies in the S&P 500 and Russell 3000 to see how they were responding to the new rules. The report said there is a clear trend toward more detailed disclosures of cybersecurity risk oversight. For one, nearly all companies in the Russell 3000 provide disclosures that include at least a general approach to information security risk mitigation. More than 80% of S&P 500 companies include detailed disclosure of both risks and strategies to mitigate them.

The data also shows that the proportion of Russell 3000 companies that disclosed the presence of an information security program grew from 25% in 2021 to 51% in 2023; for those in the S&P 500, the rate went from 57% to 85%. The study also found that the frequency of such trainings has also increased.

Disclosures about cybersecurity insurance have grown as well. For Russell 3000 companies, the proportion increased from 38% in 2021 to 58% now; for those in the S&P 500, it went from 50% to 68% in the same time period.

Companies are more forthcoming now about breaches, even ones that happened a while ago. The report found that, between 2021 and 2023, the proportion of entities disclosing whether they experienced an information security breach in the last three years went from 6% to 19% for Russell 3000 companies and 10% to 31% for S&P 500 companies. They are also more likely to disclose the cost and damages.

The report attributes these changes to the new disclosure rules and predicted they will have the intended effect of making entities more aware of cybersecurity in the future.

"The SEC's new cyber disclosure rules are a forcing function for management teams and boards," said Doug Clare, managing director and head of cyber strategy at ISS Corporate Solutions. "As companies will now need to make more robust disclosures about their cyber risk management practices, the rules will undoubtedly compel many firms to adopt more robust processes worthy of the disclosure."