Cybersecurity in Focus: Navigating Communication Challenges Under the SEC’s New Four Day Disclosure Rule

Cyberattacks pose an escalating business risk, threatening not only a company’s operations, systems and finances, but also stakeholder trust. Like other rapidly evolving crises, a company’s response to a cyberattack is challenging to manage but vital in mitigating reputational damage.

Adding to this challenge, the SEC implemented new rules on December 18, 2023, governing the disclosure of significant cybersecurity incidents. Of note, the new rules require disclosure within four business days of an incident that is determined to have a material impact on the company.

Critics argue that this new timeframe is insufficient to resolve an incident before publicly disclosing a company’s cyber vulnerabilities, potentially exacerbating the harm to cyber incident victims and creating uncertainty in the public markets As cyber risks continue to rise in 2023, companies must be prepared to navigate the communications challenges posed by the SEC’s new rules.

The New Paradigm: Accelerated Disclosures and Emerging Challenges

The traditional approach is to disclose a breach only when sufficient information is available to assess the impacts – and when doing so would not interfere with law enforcement investigations into the incident. However, the shortened window to gather information before communicating forces companies to make public statements without having completed a full investigation. In the absence of definitive facts, the required disclosure may be unavoidably vague, creating  uncertainty for investors and analysts if the investigation cannot determine the extent of the impact in time. This situation can lead to an information vacuum, fueling persistent questions and speculation in subsequent communications.

The first significant disclosure under the new rules was made by VF Corp. In a filing disclosing a breach, the company stated that “the full scope, nature and impact of the incident are not yet known,” but that it “has had and is reasonably likely to continue to have a material impact” on the company’s business operations. Understandably vague, and hardly enlightening or reassuring to stakeholders.

Implications for Cyber Incident Communications

Many companies are proactively developing and implementing new protocols to comply with the disclosure requirements. They also are assessing whether their boards and management teams possess the necessary level of cybersecurity expertise and oversight.

In addition, scenario planning and preparation for cyber incidents must now incorporate the new disclosure timeline and communications considerations. Streamlining the reporting process and coordinating with regulators and law enforcement can conserve valuable time in crafting the public disclosure. The FBI also has established a mechanism to request a delay in disclosures to the SEC, which can influence the final communication timeline.

The SEC’s rules result in more timely disclosure and, perhaps, some enhanced  transparency in communications while presenting new challenges. Investors and other stakeholders will anxiously await further updates as investigations reveal new information about the scale and severity of the impacts. Under the new SEC rules, responding to a cyber incident can become an ongoing challenge and requires a skilled and prepared advisory team across legal, tech, social and communications functions to ensure timeliness, accuracy and clarity for stakeholders.