SEC Calls for Expansion of Cybersecurity Disclosure Requirements

The Securities and Exchange Commission is seeking to expand its cybersecurity disclosure rules, which, if adopted, would require publicly traded corporations to offer deeper public insights into a variety of data security issues, including risk management, governance and incident reporting.

The SEC announced the proposed rules following last week’s open meeting. SEC Chair Gary Gensler noted that the agency’s primary goal was to create standard ways of presenting relevant cybersecurity information to financial-statement users “in a consistent, comparable and decision-useful manner,” adding that demand for the disclosures comes from investors.

“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk,” Gensler said.

Concerns about cybersecurity disclosures have lingered for years among financial regulators. A 2019 study by former SEC member Robert Jackson found that roughly 90% of hacks and similar incidents that took place in 2018 went unreported.

Under the proposed changes, issuers would be required to disclose material cybersecurity incidents – data breaches, ransomware attacks and the like – via Form 8-K filings within four business days after companies determine they were subject to an incident. Moreover, companies would need to offer updates regarding previously disclosed cybersecurity breaches. The proposal would also require issuers to report when a slew of individually immaterial cybersecurity incidents rise in the aggregate to the level of materiality.

Meanwhile, the SEC is calling for “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy and governance.” Those are the broad strokes, at least. In practice, the commission wants details on how companies manage cybersecurity risks. That entails matters such as the role of cybersecurity in a corporation’s business strategy and financial planning. The proposal would also require a registered company to disclose information about the role of its board of directors in cybersecurity oversight.

One SEC commissioner isn’t on board with the agency’s project. Hester Peirce, who was appointed during the prior presidential administration, voted against the proposal, maintaining that it fell outside the SEC’s prescribed role. She described the disclosure requirements as “micromanagement” of companies, which she thinks should be able to determine their own cybersecurity programs.

Given the geopolitical situation, Peirce’s views on a more laissez faire approach to cybersecurity probably won’t find much favor among policymakers. Russia’s military invasion of Ukraine and cyberattacks on Ukrainian government institutions and infrastructure have heightened anxiety among government officials in both the United States and Europe. The U.S. Cybersecurity & Infrastructure Security Agency has issued data-protection recommendations for all U.S. individuals and organizations, including corporate leaders and CEOs. Tying cyber risk to national security in such a way tends to point policy in the most cautious of directions.