The US Securities and Exchange Commission (SEC) voted 3-2 Wednesday to shift its data breach disclosure mandates. Under the new rule, publicly traded companies must disclose data breaches within four days if those breaches could be materially impactful.
The clock begins when a company determines that a breach will affect its bottom line. At that time, the affected company will use two items added to Form 8-K, a form used to share material events with investors as required by the Securities Exchange Act, to disclose the breach. One of these items provides space for the company to describe how and when the incident occurred and who or what might be impacted. The other requires the company to describe how it came across, assessed, and managed the breach. This form must be submitted within four days, except in rare cases that pose a significant risk to national security or public safety, in which case the SEC can mandate immediate disclosure.
Because this is the SEC and not a consumer-focused entity like the Federal Trade Commission, the agency is more concerned with how breaches might impact investments than how they could alter users’ lives. “Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors," SEC Chair Gary Gensler said. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
Data breaches have indeed been known to affect companies’ share prices within days or even hours: When investors discovered Capital One’s data breach in 2019, the company’s stock price fell nearly 6% and was down by 13.89% two weeks later. Robinhood, a stock and cryptocurrency exchange app, also saw a sudden 3.8% drop in stock price following a 2021 extortion attempt and data breach. The latter is said to have affected 7 million users.
The SEC’s vote was anything but unanimous, so some commissioners responded to the rule with displeasure. “Today’s rule…reads like a test run for future overly prescriptive, overly costly disclosure rules covering a never-ending list of hot topics,” Commissioner Hester Pierce said in her dissent. “A flexible, principles-based approach that allows for disclosures tailored to the issuer making them would be a better way to protect investors.”
