SEC Calls for Expansion of Cybersecurity Disclosure Requirements

The Securities and Exchange Commission is seeking to expand its cybersecurity disclosure rules, which, if adopted, would require publicly traded corporations to offer deeper public insights into a variety of data security issues, including risk management, governance and incident reporting.

The SEC announced the proposed rules following last week’s open meeting. SEC Chair Gary Gensler noted that the agency’s primary goal was to create standard ways of presenting relevant cybersecurity information to financial-statement users “in a consistent, comparable and decision-useful manner,” adding that demand for the disclosures comes from investors.

“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk,” Gensler said.

Concerns about cybersecurity disclosures have lingered for years among financial regulators. A 2019 study by former SEC member Robert Jackson found that roughly 90% of hacks and similar incidents that took place in 2018 went unreported.

Under the proposed changes, issuers would be required to disclose material cybersecurity incidents – data breaches, ransomware attacks and the like – via Form 8-K filings within four business days after companies determine they were subject to an incident. Moreover, companies would need to offer updates regarding previously disclosed cybersecurity breaches. The proposal would also require issuers to report when a slew of individually immaterial cybersecurity incidents rise in the aggregate to the level of materiality.

Meanwhile, the SEC is calling for “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy and governance.” Those are the broad strokes, at least. In practice, the commission wants details on how companies manage cybersecurity risks. That entails matters such as the role of cybersecurity in a corporation’s business strategy and financial planning. The proposal would also require a registered company to disclose information about the role of its board of directors in cybersecurity oversight.

One SEC commissioner isn’t on board with the agency’s project. Hester Peirce, who was appointed during the prior presidential administration, voted against the proposal, maintaining that it fell outside the SEC’s prescribed role. She described the disclosure requirements as “micromanagement” of companies, which she thinks should be able to determine their own cybersecurity programs.

Given the geopolitical situation, Peirce’s views on a more laissez faire approach to cybersecurity probably won’t find much favor among policymakers. Russia’s military invasion of Ukraine and cyberattacks on Ukrainian government institutions and infrastructure have heightened anxiety among government officials in both the United States and Europe. The U.S. Cybersecurity & Infrastructure Security Agency has issued data-protection recommendations for all U.S. individuals and organizations, including corporate leaders and CEOs. Tying cyber risk to national security in such a way tends to point policy in the most cautious of directions.

Latest Articles

Could FTC’s Updated Premerger Notification Form Usher Heavier Filing Burden?

The Federal Trade Commission and Department of Justice Antitrust Division on October 10 announced approval of long-awaited changes to a premerger notification form that provides in...

Read More

Cybersecurity Threats to Financial Services Emerge with Growth of AI

The hit film Terminator 2: Judgment Day cemented Arnold Schwarzenegger’s leading-man status with his portrayal of a reprogrammed T-800 Terminator assigned to help humanity stop the...

Read More

Companies Forced to Confront Geopolitical Risks

When JPMorgan Chase CEO Jamie Dimon talks, people in the business world listen. Some of his remarks in the banking giant’s latest earnings release sent a chilling message. “We have...

Read More