The Securities and Exchange Commission (SEC) has voted 3-2 to adopt rules that will require public companies to disclose "material" cybersecurity breaches within 4 days of determining that an incident was material. The SEC believes that collecting this data is necessary to protect investors. Corporate America has expressed opposition to the short announcement period, claiming that it could cause harm to corporations and be exploited by cybercriminals. The final rules will become effective 30 days following publication in the Federal Register.
The current rules on when to report a cybersecurity incident are vague, and the SEC is seeking additional details such as the timing of the incident and the impact on the company, along with disclosure regarding management expertise in cybersecurity. The Securities Industry and Financial Markets Association (SIFMA), an industry trade group, has said that the SEC is requiring “considerably too much, too sensitive, highly subjective information, at premature points in time”. The New York Stock Exchange (NYSE) echoed this, writing that corporations should be allowed to delay disclosure if pending remediation or law enforcement investigations would be interfered with.
In terms of duplicate reporting, many public companies already share information with federal agencies such as the the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Legislation passed last year requires CISA-regulated entities to report breaches within three days, conflicting the SEC’s four-day rule.
Given the breadth and number of rulemaking proposals SEC Chair Gary Gensler has made or proposed, the underlying theme appears to be “disclosure”. Mahlet Makonnen, a principal at Williams & Jensen, has noted that the data collected could be used to expand the SEC’s aggressive enforcement tactics, whereas an anonymous observer believes that the goal is to enable the SEC to ask Congress for more funding.
top of page
bottom of page
Comments