top of page

SEC Demands Corporations Disclose Information on Cybersecurity Breaches and Countermeasures

The Securities and Exchange Commission (SEC) has voted 3-2 to approve new rules on cybersecurity disclosure, requiring public companies to disclose "material" breaches within 4 days. The SEC justifies this by claiming that collecting and disclosing this data is necessary to protect investors. Corporate America, however, argues that this short announcement period is unreasonable, and results in the public disclosure of sensitive information that can be used against companies by cybercriminals. The new rules will take effect 30 days following publication in the Federal Register. Current regulations on when a company needs to report a cybersecurity incident are not defined, and the SEC believes that the existing requirements for reporting such events are inconsistent. To address this, the SEC wants additional details disclosed, such as the timeline of the event and the material effect on the company. Moreover, companies must report management expertise on cybersecurity. Industry trade groups like the Securities Industry and Financial Markets Association (SIFMA) are pushing back, stating that the SEC is asking for too much disclosure that is both highly subjective and premature. The NYSE, meanwhile, seeks an exemption for companies to delay public disclosure in two cases: 1) when the incident is being remediated or 2) when law enforcement believes a disclosure could interfere with a civil or criminal investigation. The Attorney General can also delay reporting if they deem it a risk to national security. Nasdaq also echoes this point, underlining the risk of revealing additional information to a cybercriminal who may still have access to the company's systems at the time the breach is disclosed. Duplicate or conflicting regulations are also a concern, as many public companies already have procedures to report such events to other federal agencies (e.g. CISA). Ultimately, the SEC under Gary Gensler seeks to expand disclosure around cybersecurity, board diversity, climate change, and other topics, ostensibly in the name of investor protection. This data would also enable the SEC to increase enforcement activity, with the narrative of 'protecting investors, especially grandma', in order to gain more funding from Congress.

Comments


bottom of page