The Securities and Exchange Commission’s new cybersecurity rule hews closely to the controversial proposal issued in 2022, prompting criticism from the SEC’s Republican members that the body was exceeding its authority and complicating security efforts, support from within the cybersecurity community and disappointment among key industry groups.
The SEC on Wednesday approved the final rule setting cyber incident reporting and risk management requirements for publicly traded companies, on 3-2 vote. The commission’s two Republicans voted no and the proposal was opposed by major industry groups since it was issued in March 2022.
The regulation requires disclosure of “material” cybersecurity events within four days, as well as “periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.”
“We received over 150 comment letters in response” to the proposal, the commission said in the 186-page document approved Wednesday. “The majority of comments focused on the proposed incident disclosure requirement, although we also received substantial comment on the proposed risk management, strategy, governance, and board expertise requirements.”
SEC Chairman Gary Gensler said the commission adjusted the proposal to address stakeholder concerns, for instance explaining, “The rules will include limited delays for disclosures of material cybersecurity incidents that the U.S. Attorney General determines could pose a substantial risk to national security or public safety.”
Further, he said, “In response to public comment, today’s adopting release streamlines required disclosures for both periodic and incident reporting. For example, the final rules will require issuers to disclose only an incident’s material impacts, nature, scope, and timing, whereas the proposal would have required additional details, not explicitly limited by materiality.”
Gensler said, “Over the generations, our disclosure regime has evolved to meet investors’ needs in changing times. Today’s adoption marks only the latest step in that long tradition. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
But senior Republican Commissioner Hester Peirce in her statement stressed, “We do not need additional regulations.”
“When companies fail to make the required disclosures about cyber risks or inform investors of a cyber incident in a timely manner, the Commission can bring an enforcement action based on existing disclosure obligations,” Peirce said.
She added, “I could have supported a cyber rule designed to guide public companies in their obligation to disclose material cyber risks and material cyber incidents in a way that would be net-beneficial to investors. Today’s rule, by contrast, reads like a test run for future overly prescriptive, overly costly disclosure rules covering a never-ending list of hot topics.”
Peirce said, “The Commission’s expansive view of its authority manifests in at least three ways in this release. First, the Commission rejects financial materiality as the touchstone for its disclosures, and fails to offer in its place a meaningful intelligible limit to its disclosure authority.”
“Second,” she said, “the SEC’s potentially non-material risk management and governance disclosures veer into managing companies’ cyber defenses; the new rule looks like a compliance checklist for handling cyber risk, a checklist the SEC is not qualified to write.”
And third, Peirce said, “the Commission’s expansive view of its authority is reflected in its overly narrow law enforcement exception and general refusal to take into account other cyber disclosure laws.”
Industry takes
The National Association of Corporate Directors expressed satisfaction with a change made to the governance requirements while citing ongoing concerns over the four-day incident reporting requirement.
“NACD believes it is regulatory overreach to impact the composition and operations of a public company board in this particular risk area, where effective governance is context-dependent. NACD is pleased to see that the amended and final rule focuses disclosure of expertise at the correct tier of responsibility for mitigating this risk: management,” NACD said.
But the incident reporting deadline “may not allow companies the time to put in place adequate patches and protections before being forced to make it known that they have been compromised digitally,” NACD said.
The group also saluted the extended compliance deadline for smaller entities on incident reporting.
According to a fact sheet, “all registrants other than smaller reporting companies must begin complying on the later of 90 days after the date of publication in the Federal Register or December 18, 2023.”
“Smaller reporting companies will have an additional 180 days and must begin complying … on the later of 270 days from the effective date of the rules or June 15, 2024,” the fact sheet says.
Leading groups from critical infrastructure sectors said changes to the rule were insufficient to offset deep concerns over the impacts of the commission’s plan.
Heather Hogsett, senior vice president for the Bank Policy Institute’s technology division BITS, said, “The SEC’s cyber disclosure rule risks harming the very investors it purports to protect by prematurely publicizing a company’s vulnerabilities. No reasonable investor would want premature disclosure of a cyber event to malicious actors or a hostile nation-state, which could exacerbate security risks and creates a recipe for disaster the next time a major cyber incident occurs.”
BPI noted “five separate rules” from the SEC since 2022 requiring companies to inform investors of their cyber risk management practices and urged the commission to harmonize its requirements.
BPI also called on the commission to coordinate its policies “with law enforcement and other stakeholders,” saying, “There should be a mechanism that allows companies, in coordination with law enforcement and other regulators, flexibility to delay disclosures, focus resources on remediation and prevent widespread exploitation of an ongoing vulnerability.”
Positive reviews
The new rule earned positive shoutouts from other quarters including CSC 2.0, the successor group to the Cyberspace Solarium Commission, security firms and a key credit rating agency.
"The part of the SEC rule addressing corporate governance requirements was much needed - it requires the companies to address how they assess, manage and mitigate their cyber risks,” said Mark Montgomery of the Foundation for Defense of Democracies and leader of CSC 2.0.
“It holds management and boards accountable for cyber risk in a manner similar to other business risks. If public companies had been doing this in a comprehensive, transparent manner maybe this rule would not have been needed, but they were not and so a rule was developed," according to Montgomery, who was executive director for the Solarium Commission as it developed a landmark 2020 report.
Similarly, Amit Yoran, chairman and CEO of cybersecurity firm Tenable, said, “In many ways, the SEC’s rule will regulate what companies should have been implementing in the first place; good cyber hygiene. Requiring companies to provide annual updates of their cybersecurity risk management strategy and governance and report material breaches within four business days will keep customers and investors better informed as to who they trust with their business.”
Moody’s Investors Service said the new SEC rule should “spur improvements in cyber defenses” and are credit positive for companies covered by the regulation.
Lesley Ritter, senior vice president for Moody’s, said, “The cybersecurity disclosure rules adopted by the U.S. Securities and Exchange Commission earlier today will provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability.”
Ritter said, “Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources.”
“Overall,” Ritter said, “the rules are credit positive for public companies that are subject to SEC reporting requirements, as disclosures are useful to compare how companies, particularly those with elevated cyber risk, are addressing these challenges.” -- Charlie Mitchell (cmitchell@iwpnews.com)