Businesses will face challenges complying with a cybersecurity rule issued by the U.S. Securities and Exchange Commission late last month that gives them just four business days to report material cyber breaches, experts say.

Policyholders may find coverage exclusions in their cyber liability and directors and officers liability insurance policies if claims arise from the regulation.

Under the rule, approved by the SEC on a party-line 3-2 vote on July 26, companies must determine an incident’s materiality without “unreasonable delay” and file an Item 1.05 Form 8-K, generally within four business days.

The material incident disclosure requirement takes effect Dec. 18, with smaller companies having a 180-day deferral.

The regulation also requires companies to describe their processes for assessing, identifying and managing material risks from cybersecurity threats, among other requirements. The information must be included in annual reports beginning Dec. 15.

SEC Chair Gary Gensler said in a statement that while many public companies provide cybersecurity disclosure to investors, “companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

The 186-page regulation has been in the works for several years.

The SEC has been seeking this information on a voluntary basis, but “there’s been very little compliance,” said Arturo Perez-Reyes, senior vice president and cyber strategist at San Francisco-based Newfront Insurance.

“It represents a complete sea change from where we’ve been before” in accountability and transparency for corporate boards, said Dominique Shelton Leipzig, a partner with Mayer Brown in Los Angeles.

This has never been required before for annual statements “and highlights the importance of boards being involved in this process,” she said.

“It’s an aggressive response to try to force companies to come clean about these breaches as soon as possible,” said Peter A. Halprin, a partner with Pasich LLP in New York.

The purpose of the rule is to let the stock markets “know what is happening almost in real-time with a cyber incident. That is pretty revolutionary,” said Aloke S. Chakravarty, a Denver-based partner at Snell & Wilmer LLP, who is co-chair of the firm’s cybersecurity, data protection and privacy practice.

After the rule goes into effect, the SEC likely “will choose the most egregious cases” to pursue for violating the rule to set an example, he said.  

The rule could affect insurance coverage, experts say. 

“We can expect that clients are going to be looking more and more to their cyber and their management liability —in particular D&O — insurance to try to deal with any consequences of their liability,” Mr. Halprin said.

Mr. Anderson said D&O policies, which provide coverage for errors and omissions by management, boards of directors, audit committees and chief information officers, are more likely than cyber policies to respond, although cyber-related exclusions in these policies are not uncommon.

Mr. Perez-Reyes said that just as companies may find their D&O policies have exclusions for cyber-related incidents, their cyber policies may have D&O-related exclusions as well. Insurers may issue very broad exclusions to avoid the possibility of, for example, having a D&O policy cover a “normal hacking claim” rather than one that involves SEC-related allegations against directors and officers, he said.

“There’s been a hole that’s opening up between cyber and D&O policies, and this will widen the gap and require creative work by brokers” to close, he said.

Mr. Chakravarty said the four-day notice requirement “is a big deal” because the regulation is very specific in providing such a short time frame. “It’s very difficult to figure out whether something is material that quickly,” he said.

David Anderson, New York-based vice president of cyber for Woodruff-Sawyer & Co., said the four-day rule is “complicated and perilous for public companies because there is always the specter of litigation.”

Companies should look at their internal procedures with regard to reporting cyberattacks, make sure they are in compliance and have robust insurance coverage as a failsafe if violations are alleged, Mr. Halprin of Pasich said.

Mr. Chakravarty said smaller companies are more likely to be affected by the compliance requirements, because larger companies may have a “mature security infrastructure.”