Today, the Commission is voting to adopt a rule that will require public companies to enhance and standardize their disclosures on cybersecurity risk management, strategy, and governance, as well as incident reporting. I am pleased to support this rule because it will strengthen the quality, consistency, and timeliness of cybersecurity-related disclosures to investors.

The statistics are eye-opening:

• Over the last decade, breaches increased 600 percent, from 28 in 2011 to 188 in 2021. 
• In 2022, 83 percent of organizations experienced more than one data breach.
• Last year, the average cost of a data breach in the U.S. was $9.44 million.
• Overall, some estimates on the economy-wide total costs run as high as trillions of dollars per year in the U.S. alone.

In the face of these numbers, corporate executives have prioritized cyber risk management in recent years. For example, a 2022 survey of audit committee board members identified cybersecurity as a top area of focus in the coming year.

And yet today, there are zero disclosure requirements that explicitly refer to cybersecurity risks, governance or incident reporting.

The final rule will change that, and provide investors with more timely, standardized, and informative disclosures, which will reduce market mispricing and information asymmetries.  

Currently, in the absence of specific disclosure requirements, companies can cherry-pick disclosures of their cybersecurity risk management processes, that is, if they disclose at all. By clarifying what companies must disclose, the rule will provide investors with more certainty and easier comparability. This will reduce the risk of adverse selection, and the potential mispricing of a company.

Beyond the clear benefits to investors, the rule will also have broader, indirect benefits.  For example, more timely reporting of cyber incidents can serve as an alert to companies in the same sector that malign actors are launching cyber-attacks. Such companies could have more time to raise their cyber defenses and to mitigate any potential damage.

Consumers may also benefit through more informed decision-making about which companies to entrust with their sensitive personal information.

Some commenters raised concerns that providing detailed disclosures of cyber incidents could provide a roadmap for future attacks. But the final rule does not require specific, technical information that would serve that harmful purpose. Instead, it is focused on what the material impacts, or reasonably likely material impacts, of the incident will be. These impacts could affect a company’s valuation and profitability – such as intellectual property loss, business interruption, increased costs of capital, or reputational damage.

For example, even if not quantifiable, the risk that a large segment of customers will lose faith in a business’s ability to protect sensitive personal information may certainly be material to an investor’s decision to invest in a company. This is especially the case in our post-COVID world, where working people in our country spend ever greater amounts of time working remotely.

The rule also includes a time-limited delay for disclosures if the Attorney General notifies the Commission in writing that the disclosures would pose a substantial risk to national security or public safety.

This approach is sufficiently narrow and strikes the appropriate balance between the Commission’s prerogative to protect investors and the Department of Justice’s national security and public safety equities.

Lastly, I would like to thank Senator Jack Reed of Rhode Island for his leadership on this issue over many years, as reflected in the Cybersecurity Disclosure Act, first introduced in 2015. This bipartisan legislation was prescient in highlighting the importance of cybersecurity risk management disclosures to investors. The Commission’s actions today will advance similar goals to increase the transparency and decision-useful information available to investors on this topic.

I’m pleased to support the adoption of today’s rule and would like to thank all of the Commission staff, particularly in the Division of Corporation Finance, for their hard work and for their commitment to fulfilling the SEC’s mission on behalf of the investing public.