Are the SEC’s New Cybersecurity Rules Coming Too Late?

The phrase “fighting the last war” often comes to mind when discussing the federal government’s rulemaking process. It’s a familiar cycle: Something emerges as a problem that catches companies unprepared, and regulators begin the iterative slog of drafting rules, soliciting comments from the public on their proposals and re-drafting new versions in response to the feedback. Meanwhile, if the issue that triggered the rulemaking poses a big enough problem for companies, they’ve likely taken steps to address it well in advance of any final regulatory guidance.

The Securities and Exchange Commission seems to be playing a game of catch-up now as it seeks to modernize cybersecurity rules. The project started in earnest last year in response to national security risks, such as cyber threats against information technology networks and fuel pipelines. The effort produced a package of proposed measures from the SEC designed to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies.”

The proposed rules focused on disclosing material cybersecurity incidents – think ransomware attacks and data breaches – in a timely manner, as well as guidelines for providing updates on previously disclosed events. Additionally, the SEC called for “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy and governance.” For example, how do the directors on issuers’ boards factor into companies’ cybersecurity strategies?

In all fairness, the rise in cybersecurity threats is a national security issue when public infrastructure is put at risk. Not to mention, we could broaden our definition of infrastructure substantially when we consider the ubiquity of commercial products such as cell phones in our daily lives. Investors also benefit from more transparency when it comes to all aspects of corporate risk management, cybersecurity included.

So, any efforts by the government to prod major corporations into beefing up their cybersecurity programs should be considered well-intentioned. But are they necessary?

There is evidence to suggest that issuers already grasp the potential for ruinous outcomes from cyber threats. For example, a Wall Street Journal survey released in March found that more than three-quarters of corporate boards already have at least one member who is well-versed in cybersecurity. The role of chief information security officer generally carries more weight in corporate governance strategy now than in the past, especially in the eyes of board members.

And don’t forget that corporations answer to sophisticated institutional investors. Fall short on matters of risk management and the people in C-suites risk stockholder-led revolts.

In other words, new cybersecurity regulations may not produce much in the way of clear, direct benefits to companies themselves and our national security against cyber threats. But if the new rules serve as constant reminders to companies of their responsibilities to stakeholders and the importance of cybersecurity in a broad sense, they are worth the effort.

Latest Articles

Government, Industry Hustling to Keep Up With AI

The rise of artificial intelligence is either building towards a new era of human achievement or the death of civil society, depending on who you ask. As AI technology continues to...

Read More

In Move Against Activist Investors, Exxon Opens Up Auto Voting

For retail investors, proxy season offers an opportunity to let the C-suite know how they feel about the direction of a company. Mom and pop probably aren’t getting a private audie...

Read More

Breaking Up Is Hard to Do: Why Food and Beverage Giants Are Splitting Apart

For decades, the food and beverage business was driven by a simple credo: “bigger is better.” Consolidation promised purchasing power, shelf dominance, and global reach. The late 2...

Read More