One controversial aspect of the rule is the timeline it provides for public companies to disclose a cybersecurity incident on Form 8-K. If companies determine an incident is material, they must disclose that incident within four business days of that determination, the rule states.
"The disclosure may be delayed if the United States attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the commission of such determination in writing," an SEC news release states.
The rule also requires that companies disclose their cybersecurity risk management, strategy and governance in annual reports, and requires similar disclosures from foreign private issuers.
Ms. Peirce said Wednesday that obtaining approval from the attorney general within four business days would be "quite a feat," and she expressed concern that even pared back disclosures would put additional burdens on companies.
Chairman Gary Gensler pointed out that the rule, unlike the original proposal issued in March 2022, does not require any disclosures of non-material information related to incidents. He also said many public companies already disclose cybersecurity information to investors.
"I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way," Mr. Gensler said Wednesday.
"This rule, in conjunction with other cybersecurity-related reforms the SEC is pursuing, will better protect investors, companies, and markets from these increasingly damaging and predatory events," Stephen Hall, legal director and securities specialist at Better Markets, said in a news release Wednesday.