The Securities and Exchange Commission (SEC) is pressing corporate America to provide investors with more comprehensive information about cybersecurity breaches and the measures being taken to combat them.
This push comes as the SEC has voted 3-2 to adopt new rules requiring public companies to disclose “material” cybersecurity breaches within four days after determining that an incident is significant.
The SEC justifies this move by stating that gathering this data is essential for protecting investors. However, corporate America is resisting, arguing that the four-day disclosure window is too short, could potentially harm corporations, and may be exploited by cybercriminals.
The final rules are set to become effective 30 days after their publication in the Federal Register.
Presently, the rules governing when a company must report a cybersecurity event are unclear. Companies are required to file an 8-K report to inform shareholders of significant events, but the SEC believes that the requirements for reporting a cybersecurity event are “inconsistent.”
In addition to mandating the disclosure of cybersecurity breaches within four days, the SEC also wants companies to provide more details, such as the timing of the incident and its material impact on the company.
Furthermore, companies will be required to disclose the level of management expertise in cybersecurity.
The pushback from corporate America mirrors the resistance to many of the other rulemaking proposals by SEC Chair Gary Gensler: that they are excessive.
“The SEC is demanding the disclosure of far too much, highly sensitive, and subjective information at premature stages, without giving proper consideration to the prudential regulators of public companies or relevant cybersecurity specialist agencies,” said the Securities Industry and Financial Markets Association (SIFMA), an industry trade group, in a letter to the SEC.
Industry Concerns
The most significant industry concerns are:
- Four days is too short a period. SIFMA and others argue that this timeframe denies companies the opportunity to focus on remediation and mitigation of the incident’s impacts.
- Premature public disclosure could harm companies. The New York Stock Exchange (NYSE), representing its listed companies, has written to the SEC, asserting that corporations should be allowed to delay public disclosures in two specific situations: 1) until the incident has been remediated, and 2) if law enforcement determines that a disclosure could interfere with a civil or criminal investigation.
The proposed rule does allow the Attorney General to delay reporting if it’s determined that immediate disclosure would pose a substantial risk to national security.
“Premature public disclosure of an incident without ensuring that the threat has been fully neutralized could provide cybercriminals with valuable information to expand their attack,” said Hope Jarkowski, NYSE Group general counsel, in the letter.
Nasdaq, in a separate letter to the SEC, echoed these concerns, noting that “the obligation to disclose may reveal additional information to an unauthorized intruder who may still have access to the company’s information systems at the time the disclosure is made, potentially causing further harm to the company.”
Another concern is the issue of overlapping regulations. Many public companies already have protocols in place to share critical information about cyber incidents with other federal agencies, including the FBI.
The lead agency for cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security, is currently adopting cybersecurity rules that, under legislation passed last year, require “critical infrastructure entities,” including financial institutions, to report cyber breaches within three days to CISA.
This three-day requirement could conflict with the SEC’s four-day rule, creating duplicate reporting requirements.
All of this raises a central question: who should be responsible for regulating cybersecurity? “The Commission is not a prudential cybersecurity regulator for all registrants,” SIFMA noted.
What Is the SEC Trying to Achieve?
Cybersecurity is just a small part of the more than 50 proposed rules that Gensler has put forward, nearly 40 of which are in the Final Rule stage.
A common theme in much of Gensler’s rulemaking agenda is “disclosure.” More disclosure about cybersecurity, board diversity, climate change, and numerous other issues.
“Gensler claims he wants more transparency, believing it will protect investors,” said Mahlet Makonnen, a principal at Williams & Jensen.
However, the industry fears that the data collected will impose unnecessary burdens on companies, fail to protect investors, and could be used to bolster the SEC’s aggressive enforcement tactics under Gensler.
“The more information they collect, the more the SEC can determine if there are violations of rules and regulations, allowing them to expand enforcement actions. The SEC will argue that they have broad authority to protect investors, and the disclosures can be used to increase enforcement actions,” Makonnen added.
Another long-time SEC observer, who wished to remain anonymous, agreed, suggesting that the ultimate aim of increased disclosure is to expand the SEC’s enforcement power.
“It allows the SEC to claim they are protecting investors and provides a basis for requesting more funding from Congress,” the observer noted.
“You don’t get more money from Congress by asking for funds for market structure. You get more money by claiming you are protecting grandma.”
