A. Introduction

We are mindful of the costs imposed by, and the benefits to be obtained from, our rules. Section 2(b) of the Securities Act408 and Section 3(f) of the Exchange Act direct the Commission, when engaging in rulemaking where it is required to consider or determine whether an action is necessary or appropriate in the public interest, to consider, in addition to the protection of investors, whether the action will promote efficiency, competition, and capital formation. Further, Section 23(a)(2) of the Exchange Act requires the Commission, when making rules under the Exchange Act, to consider the impact that the rules would have on competition, and prohibits the Commission from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the Exchange Act. The discussion below addresses the economic effects of the final rules, including the likely benefits and costs, as well as the likely effects on efficiency, competition, and capital formation.

Where possible, we have attempted to quantify the benefits, costs, and effects on efficiency, competition, and capital formation expected to result from the final rules. In some cases, however, we are unable to quantify the potential economic effects because we lack information necessary to provide a reasonable estimate. For example, we lack the data to estimate any potential decrease in mispricing that might result from the rule, because we do not know how registrants’ disclosures of cybersecurity risk and governance will change or which cybersecurity incidents that would go undisclosed under the current guidance will be disclosed under the final rules. Where we are unable to quantify the economic effects of the final rules, we provide a qualitative assessment of the effects, and of the impacts of the final rule on efficiency, competition, and capital formation. To the extent applicable, the views of commenters relevant to our analysis of the economic effects, costs, and benefits of these rules are included in the discussion below.

While cybersecurity incident disclosure has become more frequent since the issuance of the 2011 Staff Guidance and 2018 Interpretive Release, there is concern that variation persists in the timing, content, and format of registrants’ existing cybersecurity disclosure, and that such variation may harm investors (as further discussed below).  When disclosures about cybersecurity breaches are made, they may not be timely or consistent. Because of the lack of consistency in when and how companies currently disclose incidents, it is difficult to assess quantitatively the timeliness of disclosures under current practices. According to Audit, Analytics data, in 2021, it took on average of 42 days for companies to discover breaches, and then it took an average of 80 days and a median of 56 days for companies to disclose a breach after its discovery. These data do not tell us when disclosure occurs relative to companies’ materiality determinations. That said, the report notes that some breaches were disclosed for the first time to investors in periodic reports, the timing of which are unrelated to the timing of the incident or the company’s assessment of the materiality of the incident. This implies at least some cybersecurity incident disclosures were not timely with respect to determination of materiality. Because cybersecurity incidents can significantly affect registrants’ stock prices, delayed disclosure results in mispricing of securities, harming investors. Incident disclosure practices, with respect to both location and content, currently vary across registrants. For example, some registrants disclose incidents through Form 10-K, others Form 8-K, and still others on a company website, or in a press release. Some disclosures do not discuss whether the cybersecurity incident had material impact on the company. Additionally, evidence suggests registrants may be underreporting cybersecurity incidents. More timely, informative, and standardized disclosure of material cybersecurity incidents may help investors to assess an incident’s impact better.

While disclosures about cybersecurity risk management, strategy, and governance have been increasing at least since the issuance of the 2018 Interpretive Release, they are not currently provided by all registrants. Despite the increasing prevalence of references to cybersecurity risks in disclosures, however, registrants do not consistently or uniformly disclose information related to cybersecurity risk management, strategy, and governance. Registrants currently make such disclosures in varying sections of a company’s periodic and current reports, such as in risk factors, in management’s discussion and analysis, in a description of business and legal proceedings, or in financial statement disclosures, and sometimes include them with other unrelated disclosures. One commenter noted that current disclosure is “piecemeal” in nature and that the varying content and placement make it difficult for investors and other market participants to locate and understand the cybersecurity risks that registrants face and their preparedness for an attack, and to make comparisons across registrants.

As we discuss in more detail below, some commenters supported the proposed rule. Specifically, one commenter noted that markets responded negatively to delayed cybersecurity disclosures, suggesting that timeliness in disclosing incidents is valuable to investors. Further, some academic commenters submitted papers that they authored finding that evidence suggests that companies experiencing data breaches subsequently experience higher borrowing costs. On the other hand, other commenters contended that the proposed rules would hinder capital formation, particularly for small registrants, or that a more cost-effective alternative to the proposed rules would be to look to existing rules to elicit relevant disclosures, as articulated by the 2011 Staff Guidance and the 2018 Interpretive Release. Several commenters pointed out that the proposed disclosures on cybersecurity risk management, strategy, and governance might be overly prescriptive and would potentially provide a roadmap for threat actors, and that these rules could increase, not decrease costs. In response to those comments, these provisions have been modified in the final rule, which should reduce the perceived risk of providing a roadmap for threat actors compared with the proposal.

B. Economic Baseline

1.Current Regulatory Framework

To assess the economic impact of the final rules, the Commission is using as its baseline the existing regulatory framework and market practice for cybersecurity disclosure. Although a number of Federal and State rules and regulations obligate registrants to disclose cybersecurity risks and incidents in certain circumstances, the Commission’s regulations currently do not explicitly address cybersecurity.

As noted in the Proposing Release, cybersecurity threats and incidents continue to increase in prevalence and seriousness, posing an ongoing and escalating risk to public registrants, investors, and other market participants. The number of reported breaches disclosed by public companies has increased almost 600 percent over the last decade, from 28 in 2011 to 131 in 2020 and 188 in 2021. Although estimating the total cost of cybersecurity incidents is difficult, as many events may be unreported, some estimates put the economy-wide total costs as high as trillions of dollars per year in the U.S. alone. The U.S. Council of Economic Advisers estimated that in 2016 the total cost of cybersecurity incidents was between $57 billion and $109 billion, or between 0.31 and 0.58 percent of U.S. GDP in that year. A more recent estimate suggests the average cost of a data breach in the U.S. is $9.44 million. Executives, boards of directors, and investors remain focused on the emerging risk of cybersecurity. A 2022 survey of bank Chief Risk Officers found that they identified managing cybersecurity risk as the top strategic risk. In 2022, a survey of audit committee members again identified cybersecurity as a top area of focus in the coming year.

In 2011, the Division of Corporation Finance issued interpretive guidance providing the Division’s views concerning operating registrants’ disclosure obligations relating to cybersecurity risks and incidents. This 2011 Staff Guidance provided an overview of existing disclosure obligations that may require a discussion of cybersecurity risks and cybersecurity incidents, along with examples of potential disclosures. Building on the 2011 Staff Guidance, the Commission issued the 2018 Interpretive Release to assist operating companies in preparing disclosure about cybersecurity risks and incidents under existing disclosure rules. In the 2018 Interpretive Release, the Commission reiterated that registrants must provide timely and ongoing information in periodic reports (Form 10-Q, Form 10-K, and Form 20-F) about material cybersecurity risks and incidents that trigger disclosure obligations. Additionally, the 2018 Interpretive Release encouraged registrants to continue to use current reports (Form 8-K or Form 6-K) to disclose material information promptly, including disclosure pertaining to cybersecurity matters. Further, the 2018 Interpretive Release noted that to the extent cybersecurity risks are material to a registrant’s business, the Commission believes that the required disclosure of the registrant’s risk oversight should include the nature of the board’s role in overseeing the management of that cybersecurity risk. The 2018 Interpretive Release also stated that a registrant’s controls and procedures should enable it to, among other things, identify cybersecurity risks and incidents and make timely disclosures regarding such risks and incidents. Finally, the 2018 Interpretive Release highlighted the importance of insider trading prohibitions and the need to refrain from making selective disclosures of cybersecurity risks or incidents.

In keeping with existing obligations, companies are increasingly acknowledging cybersecurity risks in their disclosures. One analysis of disclosures made by Fortune 100 companies that filed 10-Ks and proxy statements found 95 percent of those companies disclosed a focus on cybersecurity risk in the risk oversight section of their proxy statements filed in the period ending in May 2022, up from 89 percent of filings in 2020 and 76 percent in 2018.Disclosures of efforts to mitigate cybersecurity risk were found in 99 percent of proxy statements or Forms 10-K, up from 93 percent in 2020 and 85 percent in 2018. The Fortune 100 list is composed of the highest-revenue companies in the United States. As discussed later in this economic analysis, we observed the overall rate of disclosure across not just the largest, but all filers, approximately 8,400, to be approximately 73 percent. Further, one commenter noted that current disclosures are “scattered and unpredictable” rather than “uniform,” which “diminishes their effectiveness,” and so the final rule should improve investors’ ability to find and compare disclosures.

Registrants currently are and may continue to be subject to other cybersecurity incident disclosure requirements developed by various industry regulators and contractual counterparties. As discussed in Section II, CIRCIA was passed in March 2022 and requires CISA to develop and issue regulations on cybersecurity reporting. As set forth in CIRCIA, once those regulations are adopted, covered entities will have 72 hours to report covered cybersecurity incidents to CISA and will also be required to report a ransom payment as the result of a ransomware attack within 24 hours of the payment being made. In addition, Federal contractors may be required to monitor and report cybersecurity incidents and breaches or face liability under the False Claims Act. An FCC rule directs covered telecommunications providers on how and when to disclose breaches of certain customer data. HIPAA requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar rules require vendors of personal health records and related entities to report data breaches to affected individuals and the FTC. All 50 states have data breach laws that require businesses to notify individuals of security breaches involving their personally identifiable information. There are other rules that registrants must follow in international jurisdictions. For example, in the European Union, the General Data Protection Regulation mandates disclosure of cybersecurity breaches.

These other cybersecurity incident disclosure requirements may cover some of the material incidents that registrants will need to disclose under the final rules. However, not all registrants are subject to each of these other incident disclosure requirements and the timeliness and public reporting elements of these requirements vary, making it difficult for investors and other market participants to be alerted to the breaches and to gain an adequate understanding of the impact of such incidents on a registrant.

Some registrants are also subject to other mandates regarding cybersecurity risk management, strategy, and governance. For instance, government contractors may be subject to the Federal Information Security Modernization Act, and use the NIST framework to manage information and privacy risks. Certain financial institutions may be subject to the FTC’s Standards for Safeguarding Customer Information Rule, requiring an information security program, including a qualified individual to oversee the security program, and the provision of periodic reports on the cybersecurity program to a company’s board of directors or equivalent governing body. Under HIPAA regulations, covered entities are subject to rules that require protection against reasonably anticipated threats to electronic protected health information. International jurisdictions also have cybersecurity risk mitigation measures and governance requirements (see, for example, the GDPR). These rules and regulations provide varying standards and requirements for disclosing cybersecurity risk management, strategy, and governance, and may not provide investors with public or clear and comparable disclosure regarding how a particular registrant manages its cybersecurity risk profile.

2. Affected Parties

The parties that are likely to be affected by the final rules include investors, registrants, other market participants that use the information provided in company filings (such as financial analysts, investment advisers, and portfolio managers), and external stakeholders such as consumers and other companies in the same industry as affected companies.

We expect the final rules to affect all registrants with relevant disclosure obligations on Forms 10-K, 20-F, 8-K, or 6-K. This includes (1) approximately 7,300 operating companies filing on domestic forms (of which, approximately 120 are business development companies) and (2) 1,174 FPIs filing on foreign forms, based on all companies that filed such forms or an amendment thereto during calendar year 2022. Our textual analysis of all calendar year 2022 Form 10-K filings and amendments reveals that approximately 73 percent of domestic filers made some kind of cybersecurity-related disclosures, whether of incidents, risk, or governance.

We also analyzed calendar year 2022 Form 8-K and Form 6-K filings. There were 71,505 Form 8-K filings in 2022, involving 7,416 filers, out of which 35 filings reported material cybersecurity incidents. Similarly, there were 27,296 Form 6-K filings in 2022, involving 1,161 filers, out of which 22 filings reported material cybersecurity incidents.

C. Benefits and Costs of the Final Rules

The final rules will benefit investors, registrants, and other market participants, such as financial analysts, investment advisers, and portfolio managers, by providing more timely and informative disclosures relating to cybersecurity incidents and cybersecurity risk management, strategy, and governance, facilitating investor decision-making and reducing information asymmetry in the market. The final rules also will entail costs. A discussion of the anticipated economic costs and benefits of the final rules is set forth in more detail below. We first discuss benefits, including benefits to investors and other market participants. We subsequently discuss costs, including the cost of compliance with the final rules. We conclude with a discussion of indirect economic effects on investors, external stakeholders such as consumers, and companies in the same industry with registrants subject to this rule, or those facing similar cybersecurity threats.

1. Benefits

Existing shareholders, and those seeking to purchase shares in registrants subject to the final rules, will be the main beneficiaries of the enhanced disclosure of both cybersecurity incidents and cybersecurity risk management, strategy, and governance as a result of the final rules. Specifically, investors will benefit because: (1) more informative and timely disclosure will improve investor decision-making by allowing investors to better understand a registrant’s material cybersecurity incidents, material cybersecurity risks, and ability to manage such risks, reducing information asymmetry and the mispricing of securities in the market; and (2) more uniform and comparable disclosures will lower search costs and information processing costs. Other market participants that rely on financial statement information to provide services to investors, such as financial analysts, investment advisers, and portfolio managers, will also benefit.

a. More Timely and Informative Disclosure

The final rules provide more timely and informative disclosures, relative to the current disclosure environment, which will allow investors to better understand registrants’ cybersecurity incidents, risks, and ability to manage such risks as well as reduce mispricing of securities in the market. Timeliness benefits to investors will result from the requirement to disclose cybersecurity incidents within four business days of determining an incident was
material, as well as the requirement to amend the disclosure to reflect material changes. Information benefits to investors will result from the disclosure of both (1) cybersecurity incidents and (2) cybersecurity risk management, strategy, and governance. Together, the timeliness and information benefits created by the final rules will reduce market mispricing and information asymmetry and potentially lower firms’ cost of capital.

We anticipate Item 1.05, governing cybersecurity incident disclosure on Form 8-K, will lead to more timely disclosure to investors. Currently, there is not a specific requirement for a registrant to disclose a cybersecurity incident to investors in a timely manner after its discovery and determination of material impact. Item 1.05’s requirement to disclose a material cybersecurity incident on Form 8-K within four business days after determining the incident is material will improve the overall timeliness of the disclosure offered to investors—disclosure that is relevant to the valuation of registrants’ securities. It is well-documented in the academic literature that the market reacts negatively to announcements of cybersecurity incidents. For example, one study finds a statistically significant mean cumulative abnormal return of -0.84 percent in the three days following cyberattack announcements, which, according to the study, translates into an average value loss of $495 million per attack. One commenter argued that the magnitude of stock market reaction to cybersecurity incidents from this study would not be considered significant by market participants, stating that “if a stock had a historical standard deviation of 1 percent and moved 0.8 percent on news, most market participants would suggest that the news was either not significant or the market had priced in that news so the reaction was muted.” We note, however, that a cumulative abnormal return (CAR) of -0.84 percent refers not to the total return but to the return relative to how stocks in similar industries and with similar risk profiles moved; thus, indeed, a statistically significantly negative CAR represents a meaningful reaction and change to how the stock price would have moved that day absent the announcement of the cybersecurity incident. By allowing investors to make decisions based on more current, material, information, Item 1.05 will reduce mispricing of securities and information asymmetry in the market.

Information asymmetries due to timing could also be exploited by the malicious actors who caused a cybersecurity incident, those who could access and trade on material information stolen during a cybersecurity incident, or those who learn about the incident before public disclosure, causing further harm to investors who trade unknowingly against those with inside information. Malicious actors may trade ahead of an announcement of a data breach that they caused or pilfer material information to trade on ahead of company announcements. Trading on undisclosed cybersecurity information is particularly pernicious, because profits generated from this type of trading provide incentives for malicious actors to “create” more incidents and proprietary information to trade on, further harming the shareholders of impacted companies. Employees or related third-party vendors of a company experiencing a cybersecurity incident may also learn of the incident and trade against investors in the absence of disclosure. More timely disclosure as a result of Item 1.05 will reduce mispricing by reducing windows of information asymmetry in connection with a material cybersecurity incident, thereby reducing opportunities to exploit the mispricing, enhancing investor protection.

A commenter noted that there is risk the rule could, under certain conditions, aid stock manipulation efforts by malicious actors, offsetting these benefits. One commenter suggested that mandated disclosure timing could make public cybersecurity incident disclosure dates more predictable, and thus trading strategies based on the accompanying negative stock price reaction more consistent, to the extent malicious actors can monitor or control discovery of breaches they cause and correctly anticipate materiality determination timing. Their ability to do this is unclear, but we note that if the final rules increase the precision of strategies by attackers that involve shorting the stock of their targets, that would reduce the benefit of the final rules.

Item 1.05 allows registrants to delay filing for up to 30 days if the Attorney General determines that the incident disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. The delay may be extended up to an additional 30 days if the Attorney General determines disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through Commission exemptive order. These delay periods and possible exemptive relief would curb the timeliness benefits discussed above but would reduce the costs of premature disclosure such as alerting malicious actors targeting critical infrastructure that their activities have been discovered.

By requiring all material cybersecurity incidents to be disclosed, Item 1.05 will also provide investors more informative disclosure by increasing material cybersecurity incident disclosure. There are currently reasons that registrants do not disclose cybersecurity incidents. For example, a registrant’s managers may be reluctant to release information that they expect or anticipate will cause their stock price to suffer. Thus an agency problem prevents investors from receiving this useful information. In addition, registrants may consider only the benefits and costs that accrue to them when deciding whether to disclose an incident. As discussed in Section IV.C.3, incident disclosure can create indirect economic effects that accrue to parties other than the company itself. Companies focused on direct economic benefits, however, may not factor in this full range of effects resulting from disclosing cybersecurity incidents, resulting in less reporting and less information released to the market. The mandatory disclosure in Item 1.05 should thus lead to more incidents being disclosed, reducing mispricing of securities and information asymmetry in the market as stock prices will more accurately reflect registrants having experienced a cybersecurity incident.

Item 1.05 will also improve the informativeness of the content of cybersecurity incident disclosures. In 2022, when registrants filed a Form 8-K to report an incident, the Form 8-K did not necessarily state whether the incident was material, and in some cases, the Form 8-K stated that the incident was immaterial. Item 1.05 will require registrants to describe in an 8-K filing the material aspects of the nature, scope, and timing of a material cybersecurity incident and the material impact or reasonably likely material impact on the registrant, including on its financial condition and results of operations. The disclosure must also identify any information called for in Item 1.05(a) that is not determined or is unavailable at the time of the required filing. Registrants will then need to disclose this information in a Form 8-K amendment containing such information within four business days after the information is determined or becomes available. Item 1.05 is thus expected to elicit more pertinent information to aid investor decision-making. Additionally, the materiality requirement should minimize immaterial incident disclosure that might divert investor attention, which should reduce mispricing of securities. Numerous commenters on the Proposing Release agreed that more informative incident disclosure would be useful for investors.

Regulation S-K Items 106(b) and (c) of the final rules provide further benefits by requiring registrants to disclose, in their annual reports on Form 10-K, information about their cybersecurity risk management, strategy, and governance. The final rules require disclosure regarding a registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as disclosure of the registrant’s board of directors’ oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. There are currently no disclosure requirements on Forms 10-K or 10-Q that explicitly refer to cybersecurity risks or governance, and thus Item 106 will benefit investors by eliciting relevant information about how registrants are managing their material cybersecurity risks.

One commenter took issue with the usefulness of the proposed disclosures, arguing, for example, that the particular requirement to disclose whether a registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program was unnecessary because there was no evidence that such third parties improved a registrant’s cyber risk management, and some companies have internal cybersecurity risk management capabilities. Some, however, have noted that the use of independent third-party advisors may be “vital to enhancing cyber resiliency” by validating that the risk management program is meeting its objectives. As discussed in Section II.C.1.c., it may be important for investors to know a registrant’s level of in-house versus outsourced cybersecurity capacity. Another commenter suggested that the requirement to disclose governance and risk management practices would be of limited value to investors, while being administratively burdensome. Other commenters said that the required disclosures about cybersecurity governance and risk management were too granular to be useful and suggested that the specific disclosures be replaced with a more high-level explanation of management’s and the board’s roles in cybersecurity risk management and governance. One such commenter stated that the proposed disclosures would create pressures to provide boilerplate responses to the specific items that would need to be disclosed instead of providing a robust discussion of the way a registrant would manage cybersecurity risk management and governance. Another commenter stated that granular disclosures “may result in overly detailed filings that have little utility to investors.” These commenters suggested that the specific disclosures should be replaced with a more high-level explanation of management’s and the board’s roles in cybersecurity risk management and governance.

In response to these comments, the Commission is not adopting certain proposed disclosure requirements, such as disclosure of whether the registrant has a designated chief information security officer. However, Items 106(b) and (c) still require risk, strategy and governance disclosures as we continue to believe disclosures of cybersecurity risk oversight and processes, as well as management’s role and relevant expertise, are important to investors. Improved timeliness and informativeness of cybersecurity disclosures may provide further benefit by lowering companies’ cost of capital. As detailed above, the final rules should reduce information asymmetry and mispricing of securities. In an asymmetric
information environment, investors are less willing to hold shares, reducing liquidity. Registrants may respond by issuing shares at a discount, increasing their cost of capital. By providing more and more credible disclosure, however, companies can reduce the risk of adverse selection faced by investors and the discount they demand, ultimately increasing liquidity and decreasing the company’s cost of capital. Investors benefit when the companies they are invested in enjoy higher liquidity. Item 1.05 enables companies to provide more credible disclosure because currently, investors do not know whether an absence of incident disclosure means no incidents have occurred, or one has but the company has not yet chosen to reveal it. By requiring all material incidents to be reported, Item 1.05 supplies investors greater assurance that, indeed, barring extraordinary circumstances, no disclosure means the company has not been aware for more than four business days of a material incident having occurred. Similarly, Item 106 should also generate more credible disclosure. Currently, voluntary cybersecurity risk management, strategy, and governance disclosures lack standardization and consistency, reducing their comparability and usefulness for investors. Without set topics that must be addressed, companies may disclose only the strongest aspects of their cybersecurity processes, if they disclose at all. By clarifying what registrants must disclose with respect to their cybersecurity risk management, strategy, and governance, Item 106 will reduce information asymmetry and provide investors and other market participants more certainty and easier comparability of registrants’ vulnerability to and ability to manage cybersecurity breaches, reducing adverse selection and increasing liquidity. Thus, the final rules could decrease cost of capital across registrants and increase company value, benefiting investors.

One commenter argued that smaller registrants are less likely than larger registrants to experience cybersecurity incidents and that cyberattacks are not material for smaller registrants. This could imply that the degree of cybersecurity-driven adverse selection faced by investors in small registrants might be less severe. If so, the potential benefit from improvement in liquidity and cost of capital due to the timeliness and information benefits from the final rules might be smaller for small registrants and their investors. The research this commenter cited to support this assertion found larger companies were more susceptible than smaller companies to a particular category of cybersecurity incidents—those involving personal information lost through hacking by an outside party—which composed less than one-quarter of all cyber incidents in the sample (1,580 out of 6,382). It is possible that malicious strategies that target personal information are particularly suited to larger, well-known companies, and thus the research may overstate the degree to which large companies are more susceptible to cybersecurity incidents generally. These strategies explicitly harm companies’ customers, and customer ill will is potentially more newsworthy and consequential for a larger, well-known company as compared to a smaller one. In contrast, ransomware attacks that target non-personal, internal company operations such as an information technology network, for example, are less concerned with causing reputational loss and thus may have an optimal target profile that favors smaller firms as much as larger firms. Additionally, smaller companies may have fewer resources and weaker processes in place to prevent cybersecurity attacks. Hence, it is not clear that smaller companies experience fewer material cybersecurity incidents generally. Others have noted that small companies are frequently targeted victims of cyberattacks, potentially leading to dissolution of the business. Thus, overall, we maintain that cybersecurity attacks are material for smaller reporting companies and that the final rules will serve to benefit them and their investors.

Overall, Form 8-K Item 1.05 and Regulation S-K Item 106 provide for timely, informative, and up-to-date disclosure of cybersecurity incidents, as well as disclosure that may provide insight into whether a registrant is prepared for risks from cybersecurity threats and has adequate cybersecurity risk management, strategy, and governance measures in place to reduce the likelihood of future incidents, reducing the likelihood of delayed or incomplete disclosure and benefiting investors and the market.

We believe enhanced information, timing, and completeness of disclosures as a result of Form 8-K Item 1.05 and Regulation S-K Item 106 will benefit not only investors but also other market participants that rely on registrant disclosures to provide services to investors. They, too, will be able to better evaluate registrants’ cybersecurity preparations and risks and thus provide better recommendations. We note that the potential benefit of these amendments could be reduced because some registrants already provide relevant disclosures. That said, we expect this same information will become more useful due to added context from, and easier comparisons with, the increased number of other registrants now providing these disclosures.

We are unable to quantify the potential benefit to investors and other market participants as a result of the increase in disclosure and improvement in pricing under the final rules. Such estimation requires information about the fundamental value of securities and the extent of the mispricing. We do not have access to such information and therefore cannot provide a reasonable estimate. One commenter suggested we use existing cyber disclosure models to “empirically determine” the current degree of market mispricing, but did not suggest what data the Commission could use to do so. The Commission cannot estimate the effects of undisclosed cybersecurity incidents that are creating market mispricing, as the relevant information was never released and the market was unable to react.

b. Greater Uniformity and Comparability

The final rules requiring disclosure about cybersecurity incidents and cybersecurity risk management, strategy, and governance should also lead to more uniform and comparable disclosures, in terms of both content and location, benefiting investors by lowering their search and information processing costs. Currently, registrants do not always use Form 8-K to report cybersecurity incidents. Even among registrants that do, reporting practices vary widely. Some provide a discussion of materiality, the estimated costs of an incident, or the remedial steps taken as a result of an incident, while others do not provide such disclosure or provide much less detail. Disclosures related to risk management, strategy, and governance also vary significantly across registrants—such information could be disclosed in places such as the risk factors section, the management’s discussion and analysis section, or not at all. For both types of disclosures, the final rules specify the topics that registrants should disclose. As a result, both incident disclosure and risk management, strategy, and governance disclosure should become more uniform across registrants, making them easier for investors and other market participants to compare. The final rules also specify the disclosure locations (e.g., Item 1C of Form 10-K), benefiting investors and other market participants further by reducing the time, cost, and effort it takes them to search for and retrieve information (as pointed out by commenters).

We note that to the extent that the disclosures related to cybersecurity risk management, strategy, and governance become too uniform or “boilerplate,” the benefit of comparability may be diminished. However, we believe that Item 106 requires sufficient specificity, tailored to the registrant’s facts and circumstances, to help mitigate any tendency towards boilerplate disclosures. Item 106 also provides a non-exclusive list of information that registrants should disclose, as applicable, which should help in this regard.

The requirement to tag the cybersecurity disclosure in Inline XBRL will likely augment the informational and comparability benefits by making the disclosures more easily retrievable and usable for aggregation, comparison, filtering, and other analysis. XBRL requirements for public operating company financial statement disclosures have been observed to mitigate information asymmetry by reducing information processing costs, thereby making the disclosures easier to access and analyze. While these observations are specific to operating company financial statement disclosures and not to disclosures outside the financial statements, such as the cybersecurity disclosures, they suggest that the Inline XBRL requirements should directly or indirectly (i.e., through information intermediaries such as financial media, data aggregators, and academic researchers) provide investors with increased insight into cybersecurity-related information at specific companies and across companies, industries, and time periods. Also, unlike XBRL financial statements (including footnotes), which consist of tagged quantitative and narrative disclosures, the cybersecurity disclosures consist largely of tagged narrative disclosures. Tagging narrative disclosures can facilitate analytical benefits such as automatic comparison or redlining of these disclosures against prior periods and the performance of targeted artificial intelligence or machine learning assessments (tonality, sentiment, risk words, etc.) of specific cybersecurity disclosures rather than the entire unstructured document.

In addition, by formalizing the disclosure requirements related to cybersecurity incidents and cybersecurity risk management, strategy, and governance, the final rules could reduce compliance costs for those registrants that are currently providing disclosure about these topics. The compliance costs would be reduced to the extent that those registrants may be currently over-disclosing information out of caution, to increase the perceived credibility of their disclosures, or to signal to investors that they are diligent with regard to cybersecurity. For instance, the staff has observed that some registrants provide Form 8-K filings even when they do not anticipate the incident will have a material impact on their business operations or financial results. By specifying that only material incidents require disclosure, the final rules should ease some of these concerns and reduce costs to the extent those costs currently exist. Investors will benefit to the extent the registrants they invest in enjoy lower compliance costs.

2. Costs

We also recognize that enhanced cybersecurity disclosure would result in costs to registrants, borne by investors. These costs include potential increases in registrants’ vulnerability to cybersecurity incidents and compliance costs. We discuss these costs below.

First, the disclosure about cybersecurity incidents and cybersecurity risk management, strategy, and governance could potentially increase the vulnerability of registrants. Since the issuance of the 2011 Staff Guidance, concerns have been raised that providing detailed
disclosures of cybersecurity incidents could, potentially, provide a road map for future attacks, and, if the underlying security issues are not completely resolved, could exacerbate the ongoing attack. The concern is that malicious actors could use the disclosures to potentially gain insights into a registrant’s practices on cybersecurity. As a result, the final incident disclosure rules could potentially impose costs on registrants and their investors, if, for example, additional threat actors steal more data or hamper breach resolution.

The final rules have been modified from the Proposing Release to mitigate disclosure of details that could aid threat actors, while remaining informative for investors. Form 8-K Item 1.05 will require registrants to timely disclose material cybersecurity incidents, describe the material aspects of the nature, scope, and timing of the incident, and, importantly, describe the material impact or reasonably likely material impact of the incident on the registrant. Focusing on the material impact or reasonably likely material impact of the incident rather than the specific or technical details of the incident should reduce the likelihood of providing a road map that threat actors can exploit for future attacks, and should reduce the risks and costs stemming from threat actors acting in this manner.

Similar concerns were raised by commenters about the required risk management, strategy, and governance disclosure. Items 106(b) and (c) require registrants to provide specified disclosure regarding their cybersecurity risk management processes and cybersecurity governance by the management and board. The required disclosure could provide malicious actors information about which registrants have weak processes related to cybersecurity risk management and allow such malicious actors to determine their targets accordingly.

However, academic research so far has not provided evidence that more detailed cybersecurity risk disclosures necessarily lead to more attacks. For example, one study finds that measures for specificity (e.g., the uniqueness of the disclosure) do not have a statistically significant relation with subsequent cybersecurity incidents. Another study finds that cybersecurity risk factor disclosures that involve terms about processes are less likely to be related to future breach announcements than disclosures that employ more general language. On the other hand, we note that the final rules will require more details of cybersecurity processes than what is explicitly required under the current rules, and the uniformity of the final rules might also make it easier for malicious actors to identify registrants with relatively weaker processes. Therefore, these academic findings might not be generalizable to the effects of the final rules. However, we also note that we have streamlined the disclosure obligations for Items 106 (b) and (c), in response to commenters’ concerns, to require a more principles-based discussion of a registrant’s processes instead of detailed disclosures on a specific set of items. This change should help ease concerns that the required cybersecurity risk management, strategy, and governance disclosures will help malicious actors choose targets. In addition, the potential costs resulting from the disclosure requirements might be partially mitigated to the extent that registrants decide to enhance their cybersecurity risk management in anticipation of the increased disclosure. This possibility is discussed below under Indirect Economic Effects. The final rules will also impose compliance costs. Registrants, and thus their investors, will incur one-time and ongoing costs to fulfill the new disclosure requirements under Item 106 of Regulation S-K. These costs will include costs to gather the information and prepare the disclosures. Registrants will also incur compliance costs to fulfill the disclosure requirements related to Form 8-K (Form 6-K for FPIs) incident disclosure. These costs include one-time costs to implement or revise their incident disclosure practices, so that any registrant that determines it has experienced a material cybersecurity incident will disclose such incident with the required information within four business days. Registrants may also incur ongoing costs to disclose in a Form 8-K report any material changes or updates relating to previously disclosed incidents, and we expect these costs to be higher for registrants with more incidents to disclose. The costs will be mitigated for registrants whose current disclosure practices match or are similar to those that are in the final rules. One commenter suggested that companies could incur costs to reconcile their existing cybersecurity activities and NIST-based best practices with the requirements of the final rules but, as discussed in Section II.C.3.c, the final rules are not in conflict with NIST and we do not anticipate that significant reconciliation will be needed.

The compliance costs will also include costs attributable to the Inline XBRL tagging requirements. Many commenters supported the XBRL tagging requirement, while one commenter suggested that it would be burdensome to add tagging given the time-sensitive nature of the disclosure requirements. Various preparation solutions have been developed and used by operating companies to fulfill XBRL requirements, and some evidence suggests that, for smaller companies, XBRL compliance costs have decreased over time. The incremental compliance costs associated with Inline XBRL tagging of cybersecurity disclosures will also be mitigated by the fact that most companies that will be subject to the requirements are already subject to other Inline XBRL requirements for other disclosures in Commission filings, including financial statement and cover page disclosures in certain periodic reports and registration statements. Such companies may be able to leverage existing Inline XBRL preparation processes and expertise in complying with the cybersecurity disclosure tagging requirements. Moreover, the one-year XBRL compliance period extension could further assuage concerns about the transition for registrants to comply with the new requirements.

Some commenters contended that the Proposing Release failed to consider the costs of the proposed rules adequately. We are generally unable to quantify costs related to the final rules due to a lack of data. For example, we are unable to quantify the impact of any increased vulnerability to existing or new threat actors arising from the required incident or risk management, strategy, or governance disclosures. Moreover, costs related to preparing cyberrelated disclosures are generally private information known only to the issuing firm, hence such data are not readily available to the Commission. There is also likely considerable variation in these costs depending on a given firm’s size, industry, complexity of operations, and other characteristics, which makes comprehensive estimates difficult to obtain. We note that the Commission has provided certain estimates for purposes of compliance with the Paperwork Reduction Act of 1995, as further discussed in Section V below. Those estimates, while useful to understanding the collection of information burden associated with the final rules, do not purport to reflect the full costs associated with making the required disclosures.

One commenter provided a numerical cost estimate, stating the initial costs of complying with the proposed rules would be $317.5 million to $523.4 million ($38,690 to $69,151 per regulated company), and future annual costs would be $184.8 million to $308.1 million ($22,300 to $37,500 per regulated company). We cannot directly evaluate the accuracy of these estimates because the commenter did not provide any explanation for how they were derived. We believe, however, these estimates likely significantly overstate the costs of the final rules.

First, the commenter overestimates the number of registrants who are likely to bear the full costs of new disclosures. Converting the total and per company cost estimates to registrant counts implies the commenter assumed these costs would be borne by approximately 8,000 companies, which would be nearly every registrant. As stated in Section IV.B.2 above, however, 73 percent of domestic filers in 2022 already made cybersecurity-related disclosures in Form 10-K filings and amendments, and 35 Form 8-K filings disclosed material cybersecurity incidents. While the degree to which registrants’ existing disclosures already may be in line with the requirements of the final rules varies—some registrants may need to make significant changes while others may not, especially given the guidance from the 2018 Interpretive Release—most registrants should not bear the full costs of compliance. In addition, while cybersecurity incident disclosure is expected to increase as a result of Item 1.05, we do not expect that most companies will need to report in any given year. Extrapolating from the current numbers of incidents reported—for example, public companies disclosed 188 reported breaches in 2021—we expect that the overwhelming majority of registrants will not experience a material breach and will not need to disclose cybersecurity incidents and incur the ongoing associated costs. They may, however, revisit their disclosure controls initially, to ensure they are capturing what the rule requires.

Second, we have made changes from the proposed rules that would also reduce costs as compared with the proposal. Some of these changes concerned aspects of the proposed rules that the commenter noted would be burdensome. For example, the commenter states that “potential material incidents in the aggregate would be difficult to identify and operationally challenging to track.” The commenter also states “the SEC underestimates the burdens related to tracking ‘several small but continuous cyberattacks against a company,’ which may or may not prove to be material.” These comments refer to proposed Item 106(d)(2), which would have required disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. In response to comments, we are not adopting this aspect of the proposal and instead have added “a series of related unauthorized occurrences” to the definition of “cybersecurity incident,” which may help address this concern about the burden of the proposal. The comment letter also stated that “cybersecurity talent is scarce globally. From a personnel standpoint, it’s unclear where companies would get the so-called cybersecurity experts that the proposed regulation would mandate. There is a well-documented lack of cybersecurity talent for the public and private sectors that would unquestionably affect companies’ recruitment of board cybersecurity experts.” We are not adopting proposed 407(j) about the cybersecurity expertise, if any, of a registrant’s board members, which may have factored into the commenter’s cost estimates. Additionally, the proposal would not have mandated recruitment of cybersecurity experts, only disclosure of their presence. Additional streamlining of requirements in the final rules (e.g., reduced granularity of cybersecurity incident disclosure requirements) should further reduce costs from what might have been estimated using the Proposing Release.

Another commenter stated that the Commission’s calculation of costs and benefits does not adequately address the impact of different but overlapping disclosure and reporting requirements that may escalate burdens and costs. We acknowledge the possibility that to the extent different information has to be reported pursuant to different regulations, laws, or other requirements, there could be a greater cost because of the demands to keep track of and manage the multiple different disclosure regimes. However, to the extent that certain other existing requirements may involve monitoring cybersecurity incidents or assessing an incident’s impact on the registrant, the registrant may be able to leverage existing disclosures to reduce the burden of complying with the final rules. Additionally, as noted in Section II.A.3 those other regulations generally serve different purposes than the final rules, and we believe that the benefits of the final rules justify the costs.

One commenter raised a concern that the costs of the rules reached the threshold of an “economically significant rulemaking” under the Unfunded Mandate Reform Act of 1995 (“UMRA”) and the Small Business Regulatory Enforcement Fairness Act, thus requiring an “enhanced economic analysis.” The requirement to issue an analysis under the UMRA does not apply to rules issued by independent regulatory agencies.

The compliance costs of the final rules could be disproportionately burdensome to smaller registrants, as some of these costs may have a fixed component that does not scale with the size of the registrant. Also, smaller registrants may have fewer resources with which to implement these changes. One commenter suggested this could lead some small companies seeking to conduct an initial public offering to reconsider. Commenters also noted that smaller companies may not yet have a mature reporting regime and organizational structure and would benefit from an onramp to compliance. We are not adopting some proposed requirements (e.g., disclosing whether the board includes a cybersecurity expert), and thus the cost burden of the final rules should not be as high as initially proposed. We also are delaying compliance for incident disclosure for smaller reporting companies by providing an additional phase-in period of 180 days after the non-smaller reporting company compliance date for smaller reporting companies, which will delay compliance with these requirements for 270 days from effectiveness of the rules. To the extent smaller reporting companies are less likely than larger companies to have incident disclosure processes in place, they could benefit from additional time to comply. An extended compliance date may also permit smaller reporting companies to benefit from seeing how larger companies implement these disclosures. Investors in these smaller registrants could benefit from higher disclosure quality afforded by the delay, although some benefits, such as the reduction in asymmetric information and mispricing, would also be delayed.

3. Indirect Economic Effects

While the final rules only require disclosures—not changes to risk management practices—the requirement to disclose and the disclosures themselves could result in certain indirect benefits and costs. In anticipating investor reactions to the required disclosures, for example, registrants might devote more resources to cybersecurity governance and risk management in order to be able to disclose those efforts. Although not the purpose of this rule, registrants devoting resources to cybersecurity governance and risk management could reduce both their susceptibility to a cybersecurity attack, reducing the likelihood of future incidents, as well as the degree of harm suffered from an incident, benefiting registrants and investors. The choice to dedicate these resources would also represent an indirect cost of the final rules, to the extent registrants do not already have governance and risk management measures in place. As with compliance costs, the cost of improving cybersecurity governance and risk management could be proportionally higher for smaller companies if these registrants have fewer resources to implement these changes, and to the extent these costs do not scale with registrant size.

In addition, the requirement to tag the cybersecurity disclosure in Inline XBRL could have indirect effects on registrants. As discussed in Section III.C.1.a.(ii), XBRL requirements for public operating company financial statement disclosures have been observed to reduce information processing cost. This reduction in information processing cost has been observed to facilitate the monitoring of registrants by other market participants, and, as a result, to influence registrants’ behavior, including their disclosure choices.

The requirement in Item 1.05 that registrants timely disclose material cybersecurity incidents could also indirectly affect consumers, and external stakeholders such as other registrants in the same industry and those facing similar cybersecurity threats. Cybersecurity incidents can harm not only the company that suffers the incident but also other businesses and consumers. For example, a cybersecurity breach at one company, such as a gas pipeline, or a power company, may cause a major disruption or shutdown of a critical infrastructure industry, resulting in broad losses throughout the economy. Timely disclosure of cybersecurity incidents required by Item 1.05 could increase awareness by those external stakeholders and companies in the same industry that the malicious activities are occurring, giving them more time to mitigate any potential damage.

To the extent that Item 1.05 increases incident disclosure, consumers may learn about a particular cybersecurity breach and therefore take appropriate actions to limit potential economic harm that they may incur from the breach. For example, there is evidence that increased disclosure of cybersecurity incidents by companies can reduce the risk of identity theft for individuals. Also, consumers may be able to make better informed decisions about which companies to entrust with their personal information.

As discussed above, to the extent that registrants may decide to enhance their cybersecurity risk management in anticipation of the increased disclosure, that could reduce registrants’ susceptibility to and damage incurred from a cybersecurity attack. This reduced likelihood of and vulnerability to future incidents could reduce the negative externalities of those incidents, leading to positive spillover effects and a reduction in overall costs to society from
these attacks.

However, the magnitude of this and the other indirect effects discussed above would depend upon factors outside of the specific disclosures provided in response to the final rule, and therefore it is difficult to assess with certainty the likelihood or extent of these effects.

D. Effects on Efficiency, Competition, and Capital Formation We believe the final rules should have positive effects on market efficiency. As discussed above, the final rules should improve the timeliness and informativeness of cybersecurity incident and risk disclosure. As a result of the disclosure required by the final rules, investors and other market participants should better understand the cybersecurity threats registrants are facing, their potential impact, and registrants’ ability to respond to and manage risks. Investors and other market participants should thereby better evaluate registrants’ securities and make more informed decisions. As a result, the required disclosures should reduce information asymmetry and mispricing in the market, improving market efficiency. More efficient prices should improve capital formation by increasing overall public trust in markets, leading to greater investor participation and market liquidity. The final rules also could promote competition among registrants with respect to improvement in both their cybersecurity risk management and transparency in communicating their cybersecurity processes. To the extent investors view strong cybersecurity risk management, strategy, and governance favorably, registrants disclosing more robust processes, more clearly, could benefit from greater interest from investors, leading to higher market liquidity relative to companies that do not. Customers may also be more likely to entrust their business to companies that protect their data. Registrants that to date have invested less in cybersecurity preparation could thus be incentivized to invest more, to the benefit of investors and customers, in order to become more competitive. To the extent that increased compliance costs resulting from the final rules prevent smaller companies from entering the market, as a commenter suggested, the final rules could reduce the ability of smaller companies to compete and thereby reduce competition overall.

E. Reasonable Alternatives

1. Website Disclosure

As an alternative to Form 8-K disclosure of material cybersecurity incidents, we considered providing registrants with the option of disclosing this information instead through company websites, if the company disclosed its intention to do so in its most recent annual report, and subject to information availability and retention requirements. While this approach may be less costly for the company because it may involve fewer compliance costs, disclosures made on company websites would not be located in a central depository, such as the EDGAR system, and would not be in the same place as other registrants’ disclosures of material cybersecurity incidents, nor would they be organized into the standardized sections found in Form 8-K and could thus be less uniform. Even if we required registrants to announce the disclosure, or to alert the Commission to it, the information would still be more difficult for investors and market participants to locate and less uniform than Form 8-K.

The lack of a central repository, and a lack of uniformity of website disclosures, could increase the costs for investors and other market participants to search for and process the information to compare cybersecurity risks across registrants. Additionally, such disclosure might not be preserved on the company’s website for as long as it would be on the EDGAR system when the disclosure is filed with the Commission, because registrants may not keep historical information available on their websites indefinitely and it could be difficult to determine whether the website information had moved or changed. Therefore, this approach would be less beneficial to investors, other market participants, and the overall efficiency of the market.

2. Disclosure through Periodic Reports

We also considered requiring disclosure of material cybersecurity incidents through quarterly or annual reports, as proposed, instead of Form 8-K. Reporting material cybersecurity incidents at the end of the quarter or year would allow registrants more time to assess the financial impact of such incidents. The resulting disclosure might be more specific or informative for investors and other market participants to value the securities and make more informed decisions. The compliance costs would be less under this alternative, because registrants would not have to file as frequently. And, it might further reduce the risk that disclosure could provide timely information to attackers.

However, this alternative also would lead to less timely reporting on material cybersecurity incidents. As a result, the market would not be able to incorporate the information related to cybersecurity risk into securities prices in as timely a manner, and investors and other market participants would not be able to make as informed decisions as they could under the requirements of Item 1.05. Additionally, as previously discussed, less timely reporting could adversely impact external stakeholders, such as other registrants in the same industry and those facing similar cybersecurity threats, and consumers whose data were compromised.

Relatedly, we proposed requiring registrants to disclose material changes and additions to previously reported cybersecurity incidents on Forms 10-K and 10-Q instead of on an amended Form 8-K. However, as discussed above, we believe using Form 8-K would be more timely and consistent; all disclosures concerning material cybersecurity incidents, whether new or containing information not determined or unavailable initially, will be disclosed on the same form.

3. Exempt Smaller Reporting Companies

We also considered exempting smaller reporting companies from the final rules. Exempting smaller reporting companies from the disclosure requirements of the final rules would avoid compliance costs for smaller companies, including those compliance costs that could disproportionately affect smaller companies. As noted earlier, however, we are not adopting some proposed requirements (e.g., disclosing whether the board includes a cybersecurity expert) and modifying others (e.g., requiring a description of cybersecurity “processes” instead of more formal “policies and procedures”), and thus the cost burden of the final rules should not be as high as initially proposed. This should mitigate some of the concerns raised by commenters and would also reduce the potential value of an exemption. Moreover, an exemption would remove the benefit to investors of informative, timely, uniform, and comparable disclosure with regard to smaller companies. And although one commenter argued for an exemption based on a perception that smaller companies are less likely to experience cybersecurity incidents, for the reasons explained in Section IV.C.1.b, we believe that smaller companies are still at risk for material cybersecurity incidents. This aligns with comments we received opposing an exemption for smaller reporting companies.

Lastly, one commenter that argued for an exemption cited the Proposing Release, which noted a potential for increased cost of capital for registrants that do not have cybersecurity programs once disclosures are mandated; the commenter stated that these would disproportionately be smaller registrants. We have reconsidered the argument that registrants without robust cybersecurity processes in place might face a higher cost of capital and as a result would be priced unfavorably, and no longer believe it to be accurate. It is indeed possible that companies that reveal what investors consider to be less robust cybersecurity risk management, strategy, and governance processes may experience a decline in stock price. However, because the risk of cybersecurity attacks should be idiosyncratic, this decline would likely be due to investors updating their expectations of future cash flows for this firm to incorporate higher likelihood of a future incident—moderating the decline should future incidents occur—not an increase in fundamental market risk and thus cost of capital. In addition, to the extent investors already rationally anticipate that smaller registrants or registrants that have not previously disclosed such information have less robust policies, there may be less or no stock price decline as a result of Item 106, as these disclosures would merely confirm expectations. Thus, increases in cost of capital should not be prevalent in this regard and should not be a reason to exempt small firms from the final rules.