SEC Calls for Expansion of Cybersecurity Disclosure Requirements

The Securities and Exchange Commission is seeking to expand its cybersecurity disclosure rules, which, if adopted, would require publicly traded corporations to offer deeper public insights into a variety of data security issues, including risk management, governance and incident reporting.

The SEC announced the proposed rules following last week’s open meeting. SEC Chair Gary Gensler noted that the agency’s primary goal was to create standard ways of presenting relevant cybersecurity information to financial-statement users “in a consistent, comparable and decision-useful manner,” adding that demand for the disclosures comes from investors.

“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk,” Gensler said.

Concerns about cybersecurity disclosures have lingered for years among financial regulators. A 2019 study by former SEC member Robert Jackson found that roughly 90% of hacks and similar incidents that took place in 2018 went unreported.

Under the proposed changes, issuers would be required to disclose material cybersecurity incidents – data breaches, ransomware attacks and the like – via Form 8-K filings within four business days after companies determine they were subject to an incident. Moreover, companies would need to offer updates regarding previously disclosed cybersecurity breaches. The proposal would also require issuers to report when a slew of individually immaterial cybersecurity incidents rise in the aggregate to the level of materiality.

Meanwhile, the SEC is calling for “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy and governance.” Those are the broad strokes, at least. In practice, the commission wants details on how companies manage cybersecurity risks. That entails matters such as the role of cybersecurity in a corporation’s business strategy and financial planning. The proposal would also require a registered company to disclose information about the role of its board of directors in cybersecurity oversight.

One SEC commissioner isn’t on board with the agency’s project. Hester Peirce, who was appointed during the prior presidential administration, voted against the proposal, maintaining that it fell outside the SEC’s prescribed role. She described the disclosure requirements as “micromanagement” of companies, which she thinks should be able to determine their own cybersecurity programs.

Given the geopolitical situation, Peirce’s views on a more laissez faire approach to cybersecurity probably won’t find much favor among policymakers. Russia’s military invasion of Ukraine and cyberattacks on Ukrainian government institutions and infrastructure have heightened anxiety among government officials in both the United States and Europe. The U.S. Cybersecurity & Infrastructure Security Agency has issued data-protection recommendations for all U.S. individuals and organizations, including corporate leaders and CEOs. Tying cyber risk to national security in such a way tends to point policy in the most cautious of directions.

Latest Articles

Trump’s Loose Lips Risk Running Afoul of SEC

Restraint has never been Donald Trump’s strong suit. The former President seemingly lashes out at any perceived slight within earshot, leading to countless public feuds with everyo...

Read More

M&A Showing Signs of Life in 2024

Is the Intelligize team clairvoyant? We’re obviously not, however, we must note that our recent M&A report states that oil and gas is an industry primed for consolidation. And...

Read More

Regulators Continue Costly Crackdown on Off-Channel Communications

How much would your teenage children pay to stay on their favorite social media apps? One thousand dollars? Ten thousand? More? If you think their addiction is bad, console yoursel...

Read More