SEC’s New Cyber Disclosure Rule and its Comparison with GDPR Notice Requirements

The Securities and Exchange Commission in the U.S. now requires public companies to timely disclose material cyber incidents. The requirement went into effect on December 18, 2023.

While the U.S. had numerous cyber incident notice rules at the state level, this is the first federal level disclosure rule that's not sector-specific.

What's the New SEC Rule?

Under this new rule, public companies have only four business days to (1) determine the materiality of an incident following discovery and, (2) if the incident is determined material, file an Item 1.05 Form 8-K. This is a short time period, akin to the 72-hour rule under GDPR. Unsurprisingly, many shared concerns regarding the shortness of the 4-business day period. Comparing this to the Breach Notification Rule under Health Insurance Portability and Accountability Act of 1996 (HIPAA) shows the drastic difference between the timelines. HIPAA Breach Notification Rule require 'covered entities' (i.e. healthcare industry company) to notify the Secretary without unreasonable delay and in no case later than 60 days following a breach if 500+ individuals are affected. If less than 500 individuals are affected, the covered entity may notify the Secretary in its annual filings.

Under this new SEC rule, while filing a SEC Form 8-K, the registrant needs to disclose “the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” Accordingly, whether or not a security breach or a cyber incident is material will be extremely important.

Public companies may omit disclosure of a material cyber incident only if public disclosure of a cybersecurity incident threatens public safety or national security. The Department of Justice Guidelines suggest that using this option is not very likely.

Cyber Incident and Data Breach: What is the Difference?

A data breach is a type of cyber incident in which an unauthorized person gains access to confidential or sensitive data stored by a system or network. You can imagine cyber incident as a thief who managed to open your front door. If the thief manages to see or steal your diary, that's data breach. But, if you caught the thief right at the door and scared them away without them seeing / taking anything, that's only a cyber incident (because they managed to infiltrate your security system, i.e. your door lock).

Notably, the new SEC rule applies to cyber incidents. Hence, the hackers may not have accessed or stolen anything from your company's network; but, if you deem the incident 'material' you need to notify the authorities.

Comparison with GDPR

Below I tried to compare the main aspects of the new SEC disclosure rule with the notification rules under the GDPR.

When you read the rules side by side it seems:

• the scope of the SEC rule is narrower as it only covers public companies, while nearly every company in the EU is a data controller;
• the scope of the security event is much broader under the SEC rule;
• the timing of the SEC notice is at least one-day longer than the GDPR period;
• the assessment the companies need to make in relation to the security event, as of today, is vaguer under the SEC rule as we have ideas but do not have clear rules to determine 'materiality'; and
• it will be interesting to see how companies will avail of themselves of the exception to the SEC rule.

What's Next?

SEC have stated that this new rule is intended to better inform investors about the public company's cybersecurity risk. Considering that ransomware attacks happen every 11 seconds, we should be seeing many SEC Form 8-K notices about cyber incidents in the upcoming days. Unless, of course, companies decide that these incidents were not material, in which case it would be interesting to see how 'materiality' will be defined both in law and in practice.