Cyber breaches cost investors money. How SEC's new rules for companies could benefit all.

The U.S. Securities and Exchange Commission announced new rules yesterday requiring public companies to disclose cybersecurity incidents as soon as four business days.

SEC Chair Gary Gensler said the disclosure "may be material to investors" and could benefit them, the companies and markets connecting them.

“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way," he said.

The new rules were proposed in March 2022 after the SEC noted the increase in cybersecurity risks following the way companies pivoted toward remote work, moving more operations online, use of digital payments, increased reliance on third-party service providers for services like cloud computing technology, and how cyber criminals are able to monetize cybersecurity incidents.

What is the SEC cyber disclosure rule?

Under the new rules, companies are required to fill out the brand new 8-K form, which will have Item 1.05 added to disclose cybersecurity incidents. It will require disclosing and describing the nature, scope, and timing of the incident, material impact or reasonably likely material impact, including the financial condition and results of operations.

If the incident will have a significant effect, then the company has to report it in four days. But if the U.S. Attorney General deems the immediate disclosure a risk to national security or public safety, disclosure could be delayed.

The new regulation requires companies to describe their process assessing cybersecurity threats, how their board of directors oversee cybersecurity threats, and how management assesses the threat.

Foreign companies will use the amended 6-K form to disclose cybersecurity incidents and the amended 20-F form for periodic disclosure.

How much does a data breach cost a business?

In this year's "Cost of a Data Breach Report" by IBM Security, the average cost of a data breach in 2023 was $4.45 million, a 2.3% increase from 2022 when it was $4.35 million. The United States has lead the way for 13 consecutive years in highest data breach costs. This year, the Middle East, Canada, Germany and Japan also made up the top five countries with the most expensive data breaches.

During ransomware attacks, companies that excluded law enforcement paid 9.6% more and experienced a longer breach at 33 days.

Only one-third of the companies found data breaches themselves, while the rest were reported by the attackers themselves or by a third party. Among industries, health care had the highest data breach costs in the U.S. this year, followed by the financial, pharmaceutical, energy, and industrial sectors in order.