SEC Calls for Expansion of Cybersecurity Disclosure Requirements

The Securities and Exchange Commission is seeking to expand its cybersecurity disclosure rules, which, if adopted, would require publicly traded corporations to offer deeper public insights into a variety of data security issues, including risk management, governance and incident reporting.

The SEC announced the proposed rules following last week’s open meeting. SEC Chair Gary Gensler noted that the agency’s primary goal was to create standard ways of presenting relevant cybersecurity information to financial-statement users “in a consistent, comparable and decision-useful manner,” adding that demand for the disclosures comes from investors.

“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk,” Gensler said.

Concerns about cybersecurity disclosures have lingered for years among financial regulators. A 2019 study by former SEC member Robert Jackson found that roughly 90% of hacks and similar incidents that took place in 2018 went unreported.

Under the proposed changes, issuers would be required to disclose material cybersecurity incidents – data breaches, ransomware attacks and the like – via Form 8-K filings within four business days after companies determine they were subject to an incident. Moreover, companies would need to offer updates regarding previously disclosed cybersecurity breaches. The proposal would also require issuers to report when a slew of individually immaterial cybersecurity incidents rise in the aggregate to the level of materiality.

Meanwhile, the SEC is calling for “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy and governance.” Those are the broad strokes, at least. In practice, the commission wants details on how companies manage cybersecurity risks. That entails matters such as the role of cybersecurity in a corporation’s business strategy and financial planning. The proposal would also require a registered company to disclose information about the role of its board of directors in cybersecurity oversight.

One SEC commissioner isn’t on board with the agency’s project. Hester Peirce, who was appointed during the prior presidential administration, voted against the proposal, maintaining that it fell outside the SEC’s prescribed role. She described the disclosure requirements as “micromanagement” of companies, which she thinks should be able to determine their own cybersecurity programs.

Given the geopolitical situation, Peirce’s views on a more laissez faire approach to cybersecurity probably won’t find much favor among policymakers. Russia’s military invasion of Ukraine and cyberattacks on Ukrainian government institutions and infrastructure have heightened anxiety among government officials in both the United States and Europe. The U.S. Cybersecurity & Infrastructure Security Agency has issued data-protection recommendations for all U.S. individuals and organizations, including corporate leaders and CEOs. Tying cyber risk to national security in such a way tends to point policy in the most cautious of directions.

Latest Articles

U.S. Exploring New Crypto Territory in Stablecoins

In both the United States and abroad, there’s a new frontier in money. As cryptocurrencies gain a stronger foothold in the financial markets, so-called stablecoins, a class of digi...

Read More

Early Disclosures Point to Massive Corporate Tax Savings from “Big Beautiful Bill”

The House of Representatives traditionally reserves the bill number H.R. 1 in each new session of Congress for a piece of legislation that reflects what the Speaker of the House de...

Read More

At Public Companies, It’s All Quiet on the DEI Front

Public companies haven’t had much to say lately about diversity, equity and inclusion initiatives. Avoiding the conversation hasn’t stopped the momentum against so-called DEI progr...

Read More