Are the SEC’s New Cybersecurity Rules Coming Too Late?

The phrase “fighting the last war” often comes to mind when discussing the federal government’s rulemaking process. It’s a familiar cycle: Something emerges as a problem that catches companies unprepared, and regulators begin the iterative slog of drafting rules, soliciting comments from the public on their proposals and re-drafting new versions in response to the feedback. Meanwhile, if the issue that triggered the rulemaking poses a big enough problem for companies, they’ve likely taken steps to address it well in advance of any final regulatory guidance.

The Securities and Exchange Commission seems to be playing a game of catch-up now as it seeks to modernize cybersecurity rules. The project started in earnest last year in response to national security risks, such as cyber threats against information technology networks and fuel pipelines. The effort produced a package of proposed measures from the SEC designed to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies.”

The proposed rules focused on disclosing material cybersecurity incidents – think ransomware attacks and data breaches – in a timely manner, as well as guidelines for providing updates on previously disclosed events. Additionally, the SEC called for “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy and governance.” For example, how do the directors on issuers’ boards factor into companies’ cybersecurity strategies?

In all fairness, the rise in cybersecurity threats is a national security issue when public infrastructure is put at risk. Not to mention, we could broaden our definition of infrastructure substantially when we consider the ubiquity of commercial products such as cell phones in our daily lives. Investors also benefit from more transparency when it comes to all aspects of corporate risk management, cybersecurity included.

So, any efforts by the government to prod major corporations into beefing up their cybersecurity programs should be considered well-intentioned. But are they necessary?

There is evidence to suggest that issuers already grasp the potential for ruinous outcomes from cyber threats. For example, a Wall Street Journal survey released in March found that more than three-quarters of corporate boards already have at least one member who is well-versed in cybersecurity. The role of chief information security officer generally carries more weight in corporate governance strategy now than in the past, especially in the eyes of board members.

And don’t forget that corporations answer to sophisticated institutional investors. Fall short on matters of risk management and the people in C-suites risk stockholder-led revolts.

In other words, new cybersecurity regulations may not produce much in the way of clear, direct benefits to companies themselves and our national security against cyber threats. But if the new rules serve as constant reminders to companies of their responsibilities to stakeholders and the importance of cybersecurity in a broad sense, they are worth the effort.