The Securities and Exchange Commission (SEC) has recently made a decision to enforce stricter rules on cybersecurity disclosure in order to protect investors. Public companies will now be required to disclose any “material” cybersecurity breaches within four days of determining its significance. The SEC believes that collecting this data is crucial to safeguard the interests of investors. However, corporate America is pushing back, arguing that the short announcement period is impractical and that public disclosure could potentially harm corporations and be exploited by cybercriminals. These new rules will come into effect 30 days after publication in the Federal Register.
The current rules surrounding cybersecurity reporting are ambiguous. While companies are obligated to file an 8-K report to announce major events to shareholders, the SEC believes that the reporting requirements for cybersecurity events lack consistency. In addition to the four-day disclosure requirement, the SEC is also seeking additional details to be disclosed, such as the timing of the incident and its impact on the company. Furthermore, management expertise in cybersecurity will need to be disclosed as well. Corporate America’s objections to these rules align with their resistance to other rulemaking proposals put forth by SEC Chair Gary Gensler, as they view them as excessive and burdensome.
The primary concerns of the industry regarding these new rules are twofold. First, they argue that four days is an inadequate period to allow companies to focus on mitigating and resolving the impact of a cybersecurity incident. Second, premature public disclosure could have detrimental effects on companies. The New York Stock Exchange (NYSE) has written to the SEC on behalf of listed companies, proposing that public disclosures should be delayed if the incident is still being addressed or if law enforcement determines that it may interfere with an investigation. The proposed rule empowers the Attorney General to delay reporting if it poses a substantial risk to national security. This objection is based on the belief that premature public disclosure could potentially provide valuable information to malicious actors, allowing them to exploit vulnerabilities and cause further harm.
Another concern raised by industry representatives is the existence of overlapping regulations. Many public companies already have mechanisms in place to share critical information about cyber incidents with federal agencies like the FBI. The Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security is the lead agency responsible for cybersecurity. Under recent legislation, CISA is adopting cybersecurity rules that require “critical infrastructure entities,” including financial institutions, to report cyber breaches to them within three days. This poses a conflict with the SEC’s four-day rule and creates duplicative reporting requirements. These issues highlight the central question of who should be the primary regulator of cybersecurity. SIFMA argues that the SEC is not equipped to fulfill this role for all registrants.
The SEC’s objective with these new rules is part of a broader agenda set by SEC Chair Gary Gensler, which emphasizes the importance of disclosure. Gensler aims to increase transparency in areas such as cybersecurity, board diversity, and climate change, among others. While he claims that this will protect investors, industry professionals express concerns that the data collected will burden the industry and potentially facilitate aggressive enforcement tactics from the SEC under Gensler’s leadership. Critics argue that the SEC’s collection of extensive information enables them to identify violations of regulations and expand enforcement actions. Ultimately, it is believed that the increased disclosure requirements serve to enhance the SEC’s enforcement power and potentially secure additional funding from Congress.
In conclusion, the SEC’s new rules regarding cybersecurity disclosure have sparked controversy within corporate America. While the SEC aims to protect investors by collecting comprehensive data on cybersecurity breaches, industry representatives argue that the short disclosure period and potential public harm outweigh the benefits. The ongoing debate highlights the need for clarity and consistency in cybersecurity reporting requirements, along with consideration for potential overlapping regulations.
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
