The Securities and Exchange Commission is urging companies to provide investors with more information about cybersecurity breaches and the steps to combat them. They are emphasizing the need for greater transparency.
By a 3 2 vote, the SEC has decided to implement regulations regarding cybersecurity disclosure. These rules will require companies to promptly disclose any significant cybersecurity breaches within four days of determining that they are material incidents.
The SEC justifies this requirement as essential for safeguarding investors' interests. However, many companies in America are expressing concerns and pushing back against these rules. The short notification period is impractical and could potentially harm corporations while giving cybercriminals opportunities for exploitation.
Once published in the Federal Register, these final rules will come into effect after 30 days.
At present, there needs to be more clarity surrounding existing cybersecurity regulations. The requirements for reporting a cybersecurity event are considered inconsistent by the SEC even though companies already have to file an 8 K report to announce events to shareholders.
Alongside the disclosure of cybersecurity breaches within four days, the SEC is also seeking additional information such as incident timing and its impact on the company's operations—a more comprehensive picture of management expertise in handling cybersecurity will also be required.
Corporate Americas' resistance seems similar to the opposition encountered by SEC Chair Gary Gensler in his previous rulemaking proposals, concerns of excessive demands.
In a letter addressed to the SEC, the Securities Industry and Financial Markets Association (SIFMA), an industry trade group, expressed their opinion that the SEC is requesting disclosure of an amount of sensitive and highly subjective information at premature stages without proper consideration for the prudential regulators of public companies or relevant cybersecurity specialist agencies.
Industry players have raised objections;
1. Insufficient time frame; SIFMA and others argue that more than four days is needed as it denies companies the time first to address and mitigate any potential impacts resulting from an incident.
2. Harm to companies; The NYSE, representing its listed corporations, has communicated with the SEC asserting that corporations should be allowed to delay public disclosures under two circumstances; 1) while undergoing remediation efforts related to an incident and 2) if law enforcement determines that making a disclosure could interfere with an ongoing civil or criminal investigation.
3. National security considerations; According to the proposed rule, the Attorney General can delay reporting if immediate disclosure poses a risk to national security.
In a letter Hope Jarkowski, the counsel of the NYSE Group, emphasized the importance of not prematurely disclosing an incident without confirming that the threat has been resolved. This is because such disclosures can inadvertently provide information to malicious actors, potentially enabling them to launch further attacks.
Similarly, Nasdaq agreed with this concern in a letter to the SEC. They highlighted that disclosing incidents before ensuring intruders no longer have access to company information systems might cause additional harm to the company itself.
Another issue revolves around overlapping regulations. Many public companies have established procedures for sharing information about cyber incidents with federal agencies, including the FBI.
The primary agency responsible for cybersecurity matters is the Cybersecurity and Infrastructure Security Agency (CISA) which operates under the Department of Homeland Security. As per enacted legislation, CISA is implementing cybersecurity rules that mandate "critical infrastructure entities," including financial institutions, to promptly report any cyber breaches within three days directly to CISA.
However, this conflicts with the SECs existing rule requiring disclosure within four days. Introduces redundant reporting obligations.
All these concerns ultimately raise questions about which entity should be primarily responsible for regulating cybersecurity. According to SIFMA (Securities Industry and Financial Markets Association), it's essential to recognize that the Commission (SEC) isn't necessarily a regulator for all registered entities regarding prudential cybersecurity matters.
What is the objective of the SEC? The chairman, Gensler, has proposed over 50 rules, with 40 of them in the Final Rule stage. Among these rules, a common thread is the emphasis on "disclosure."
Gensler believes that more transparency regarding cybersecurity, board diversity, climate change, and other matters will safeguard investors. However, some industry experts express concerns about burdens on the industry and wonder whether increased data collection truly benefits investors.
They worry that this data could be utilized to enhance enforcement tactics under Genslers leadership. The SEC can identify any rule violations and expand its enforcement actions by obtaining information through disclosures.
Supporters argue that these disclosures empower the SEC to exercise its authority in protecting investors. Ultimately stepped-up disclosure aims to bolster the SEC's enforcement capabilities, according to a long-time agency observer.