Publicly traded glass and glazing companies must disclose any cybersecurity incident considered material* and describe the event in a new form within four days of the incident, according to a new rule issued by the U.S. Securities and Exchange Commission (SEC).
SEC officials say companies must also periodically disclose their cybersecurity risk management, strategy and governance in annual reports. Officials add the new rules are intended to enhance accountability and transparency.
While many publicly traded companies already disclose cybersecurity crimes to investors, SEC chairperson Gary Gensler says companies and investors will benefit from more consistency and promptness.
“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” explains Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”
The latest regulations will mandate companies disclose any cybersecurity incident they deem material on the new Item 1.05 of Form 8-K. They will be required to outline the essential characteristics encompassing the incident, scope and timing, as well as its material impact or likely material impact.
The new rules also add Regulation S-K Item 106. The regulation will require companies to describe their processes for “assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect the registrant materially.” These disclosures will be required in a registrant’s annual report on Form 10-K.
Apogee Enterprises Inc. officials say the publicly traded company will comply with the SEC’s new cybersecurity rule requirements.
The company states in its 2023 Proxy Statement that “our full Board oversees our cybersecurity risk management with regular reports to the Board on cybersecurity risks facing the company and the systems management has implemented to identify and manage those risks.”
The statement adds that “at least twice per year, and more frequently, if necessary, our chief information officer updates our Board on the company’s information technology and cyber risk profile and the steps management takes to mitigate those risks. The company employs external advisors to assist with cybersecurity risk assessments, including external network penetration testing, cyber event preparedness exercises and developing risk mitigation strategies.”
According to experts, the most important takeaway from the new rules is that companies will now need to create written records detailing their cybersecurity program. The rules also allow shareholders, the SEC and attorneys access to evidence showcasing a company’s commitment to handling its cybersecurity vulnerabilities. The rules establish a basis for holding companies accountable if they do not effectively oversee these risks, which is vital as cyberattacks have only increased since the pandemic.
*Though officials say commentators sought a formal definition for material or further guidance, the SEC declined to replace materiality with a significance standard. Companies are instead left to rely on prior guidance about the definition of “materiality” in non-cyber contexts from decades ago.