Are the SEC’s New Cybersecurity Rules Coming Too Late?

The phrase “fighting the last war” often comes to mind when discussing the federal government’s rulemaking process. It’s a familiar cycle: Something emerges as a problem that catches companies unprepared, and regulators begin the iterative slog of drafting rules, soliciting comments from the public on their proposals and re-drafting new versions in response to the feedback. Meanwhile, if the issue that triggered the rulemaking poses a big enough problem for companies, they’ve likely taken steps to address it well in advance of any final regulatory guidance.

The Securities and Exchange Commission seems to be playing a game of catch-up now as it seeks to modernize cybersecurity rules. The project started in earnest last year in response to national security risks, such as cyber threats against information technology networks and fuel pipelines. The effort produced a package of proposed measures from the SEC designed to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies.”

The proposed rules focused on disclosing material cybersecurity incidents – think ransomware attacks and data breaches – in a timely manner, as well as guidelines for providing updates on previously disclosed events. Additionally, the SEC called for “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy and governance.” For example, how do the directors on issuers’ boards factor into companies’ cybersecurity strategies?

In all fairness, the rise in cybersecurity threats is a national security issue when public infrastructure is put at risk. Not to mention, we could broaden our definition of infrastructure substantially when we consider the ubiquity of commercial products such as cell phones in our daily lives. Investors also benefit from more transparency when it comes to all aspects of corporate risk management, cybersecurity included.

So, any efforts by the government to prod major corporations into beefing up their cybersecurity programs should be considered well-intentioned. But are they necessary?

There is evidence to suggest that issuers already grasp the potential for ruinous outcomes from cyber threats. For example, a Wall Street Journal survey released in March found that more than three-quarters of corporate boards already have at least one member who is well-versed in cybersecurity. The role of chief information security officer generally carries more weight in corporate governance strategy now than in the past, especially in the eyes of board members.

And don’t forget that corporations answer to sophisticated institutional investors. Fall short on matters of risk management and the people in C-suites risk stockholder-led revolts.

In other words, new cybersecurity regulations may not produce much in the way of clear, direct benefits to companies themselves and our national security against cyber threats. But if the new rules serve as constant reminders to companies of their responsibilities to stakeholders and the importance of cybersecurity in a broad sense, they are worth the effort.

Latest Articles

Companies Grapple with Appropriate Disclosures for Cybersecurity

You could make a strong case for the SolarWinds hack of 2020 as the most significant cybersecurity event in history to date. Russian hackers launched a massive online attack throug...

Read More

Beware the Buzzy Press Release

In the world of corporate communications, press releases play a pivotal role in disseminating news. However, a recent study shows that companies are also using press releases strat...

Read More

SEC Already Facing Legal Challenge to Buyback Rules

Shareholders of technology giant Apple might have experienced feelings of déjà vu earlier this month. In announcing its financial results for 2023’s second quarter, the company als...

Read More