Congress established the core framework of our rulemaking process in 1946, when the Administrative Procedure Act passed unanimously into law.[1] This is the foundational framework through which federal agencies, such as the SEC, incorporate feedback from the public. It is a rigorous and invaluable process. And, as is always the case, this process has fundamentally informed the policies that we adopt. So I want to start by thanking the many commenters who weighed in on this rule, who helped magnify the extent of the cybersecurity related risks faced by public companies and their investors, and who helped us crystalize the cybersecurity rule we vote on today.

To give some context, cybersecurity breaches reported by public companies increased by nearly 600% in the last decade and the costs, borne by issuers and their investors, are estimated to be in the trillions of dollars per year in the U.S. alone.[2] The numbers are staggering, and I’m cognizant that even those substantial measurements do not tell the whole story. Cybersecurity intrusions can go beyond the loss of sensitive information and related remediation; as we saw in the Colonial Pipeline intrusion in 2021, they can alter the normal course operations of complex, capital- and infrastructure-intensive businesses.

And as the comment file substantiated, knowledge of cybersecurity threats and breaches are essential to understanding a firm. Among other reasons, breaches can (and do) result in loss of revenue, customers, and business opportunities.[3] Those harms may be realized or they may be ongoing in the form of lost sensitive information, remediation costs, and losses in shareholder value.[4]

Despite the consensus on the harmful nature of cyber incidences, commenters highlighted that existing disclosure practices vary in substance, organization, and presentation, thus establishing a need for, and benefit of, comparable, reliable, and decision-useful disclosures to investors.[5]

Today’s rule serves as an important reminder of how our continuous reporting framework incorporates emerging risks – just as it was intended to do.[6] The rule will, among other things, provide investors and market participants across the board with critical information relating to a company’s risk management and strategy, as well as governance, in its periodic reporting. The rule will also enhance the current reporting framework by adding the obligation that a public issuer file a Form 8-K upon experiencing a material cybersecurity incident.[7] And finally, we take the important first step of ensuring adequate disclosure of managements’ cyber expertise. Commenters of all stripes agreed cyber expertise at public companies is critical,[8] and this new disclosure will help ensure investors understand what skillset management brings to bear on the day-to-day oversight and operations related to cyber risks and incidents. Nonetheless the Commission should continue to consider further disclosures, such as whether there is cyber-related expertise on the board.

Congratulations to all of the staff for their tremendous work on this rule. Your dedication, diligence, and thoughtfulness cannot be overstated. Investors and the market alike benefit from your work. Thank you again to all of the staff who worked on this rule, including those within the Division of Corporation Finance, Office of the General Counsel, and Division of Economic and Risk Analysis.