The Securities and Exchange Commission (SEC) is urging corporate America to provide more information to investors regarding cybersecurity breaches and the measures being taken to combat them.
Today, the SEC is set to vote on regulations that would mandate public companies to disclose any “material” cybersecurity breaches within four days after determining their significance.
The SEC argues that collecting this data is essential for investor protection. However, corporate America is pushing back, asserting that the short notification period is unreasonable. They argue that public disclosure could potentially harm corporations and be exploited by cybercriminals.
If approved, these final rules will become effective within 30 days of being published in the Federal Register.
Current cybersecurity rules lack clarity
The existing rules on reporting cybersecurity incidents by companies are unclear. While companies are required to file an 8-K report to inform shareholders about major events, the SEC believes that the guidelines for cybersecurity reporting are inconsistent.
In addition to the mandatory four-day disclosure requirement, the SEC also demands the release of further details, such as the timing and impact of the incident on the company. They also require disclosure of management expertise in cybersecurity.
Corporate America’s resistance to these regulations echoes their opposition to other rulemaking proposals made by SEC Chair Gary Gensler – claiming that they impose excessive burdens.
“The SEC is demanding the public disclosure of considerably sensitive and subjective information prematurely, without considering the prudential regulators of public companies or relevant cybersecurity specialist agencies,” stated a letter from the Securities Industry and Financial Markets Association (SIFMA), an industry trade group, addressed to the SEC.
Industry objections
The primary concerns raised by the industry include:
- The four-day timeframe is insufficient. Organizations like SIFMA argue that this restriction denies companies the necessary time to focus on mitigating and remediating the impacts of an incident.
- Premature public disclosure could harm companies. The New York Stock Exchange (NYSE), representing its listed companies, reached out to the SEC, advocating for corporations to have the option to delay public disclosure under two circumstances: 1) during incident remediation and 2) if a civil or criminal investigation is impeded by disclosure.
The proposed rule allows the Attorney General to postpone reporting if immediate disclosure is deemed to pose a significant risk to national security.
“Premature public disclosure of an incident, without certainty that the threat has been neutralized, could provide bad actors with valuable information to further their attack,” emphasized Hope Jarkowski, NYSE Group general counsel, in the letter.
Nasdaq echoed these concerns in a separate letter to the SEC, stating that “the obligation to disclose may reveal additional information to an unauthorized intruder who may still have access to the company’s information systems at the time the disclosure is made and potentially further harm the company.”
Concerns about redundant reporting
Another issue raised is the potential overlap of regulations. Many public companies already have protocols in place to share critical information about cyber incidents with federal agencies, including the FBI.
The lead agency responsible for cybersecurity is the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security. Under recent legislation, CISA is adopting cybersecurity rules that oblige “critical infrastructure entities,” such as financial institutions, to report cyber breaches to CISA within three days.
This conflicts with the SEC’s four-day rule, creating redundant reporting requirements.
All these concerns revolve around the central question of who should regulate cybersecurity. “The Commission is not a prudential cybersecurity regulator for all registrants,” asserts SIFMA.
The SEC’s objectives
Cybersecurity is just a fraction of the 50+ proposed rules that Gensler has put forward for consideration, with around 40 of them already in the Final Rule stage.
If there is one overarching theme behind Gensler’s extensive rulemaking agenda, it is “disclosure” – be it regarding cybersecurity, board diversity, climate change, or several other issues.
“Gensler claims he wants more transparency, believing it will safeguard investors,” said Mahlet Makonnen, a principal at Williams & Jensen.
Makonnen added, “The industry’s concern is that the data collected will burden the industry unnecessarily, fail to truly protect investors, and potentially fuel aggressive enforcement tactics under Gensler.”
“By gathering more information, the SEC can identify rule and regulation violations, expanding their enforcement actions. The SEC argues for broad authority to protect investors, and enhanced disclosures enable an expansion of enforcement actions,” explained an anonymous observer with extensive SEC experience.
“To secure funding from Congress, you must claim that you are protecting the public, rather than requesting funds for market structure improvements. It’s about convincing Congress that you are safeguarding the interests of everyday investors,” the observer concluded.