The Securities and Exchange Commission wants corporate America to tell investors more about cybersecurity breaches and what's being done to fight them. Much more.
The SEC has voted 3-2 to adopt new rules on cybersecurity disclosure. It will require public companies to disclose "material" cybersecurity breaches within 4 days after a determination that an incident was material.
The SEC says it is necessary to collect the data to protect investors. Corporate America is pushing back, claiming that the short announcement period is unreasonable, and that it would require public disclosure that could harm corporations and be exploited by cybercriminals.
The final rules will become effective 30 days following publication of the release in the Federal Register.
Current cybersecurity rules are fuzzy
Current rules on when a company needs to report a cybersecurity event are fuzzy. Companies have to file an 8-K report to announce major events to shareholders, but the SEC believes that the reporting requirements for reporting a cybersecurity event are "inconsistent."
In addition to requiring public companies to disclose cybersecurity breaches within four days, the SEC wants additional details to be disclosed, such as the timing of the incident and the material impact on the company. It will also require disclosure of management expertise on cybersecurity.
The pushback from corporate America sounds strikingly similar to the pushback from many of the other rulemaking proposals SEC Chair Gary Gensler has made or proposed: too much.
"The SEC is calling for public disclosure of considerably too much, too sensitive, highly subjective information, at premature points in time, without requisite deference to the prudential regulators of public companies or relevant cybersecurity specialist agencies," the Securities Industry and Financial Markets Association (SIFMA), an industry trade group, said in a letter to the SEC.
The most prominent industry concerns are:
- Four days is too short a period. SIFMA and others claim that four days denies companies time to first focus on remediating and mitigating the impacts of any incident.
- Premature public disclosure could harm companies. The NYSE, on behalf of its listed companies, has written to the SEC saying that corporations should be allowed to delay public disclosures in two circumstances: 1) pending remediation of the incident, and 2) if law enforcement determines that a disclosure will interfere with a civil or criminal investigation.
The proposed rule allows the Attorney General to delay reporting if the AG determines that immediate disclosure would pose a substantial risk to national security.
"Premature public disclosure of an incident without certainty that the threat has been extinguished could provide bad actors with useful information to expand an attack," Hope Jarkowski, NYSE Group general counsel, said in the letter.
Nasdaq, in a separate letter to the SEC, agrees, noting that "the obligation to disclose may reveal additional information to an unauthorized intruder who may still have access to the company's information systems at the time the disclosure is made and potentially further harm the company."
Concerns about duplicate reporting
Another concern is overlapping regulations. Many public companies already have procedures in place to share critical information about cyber incidents with other federal agencies, including the FBI.
The lead agency that deals with cybersecurity is the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security. Under legislation passed last year, CISA is adopting cybersecurity rules that require "critical infrastructure entities," which would include financial institutions, to report cyberbreaches within three days to CISA.
This would conflict with the SEC's four-day rule, and would also create duplicate reporting requirements.
All this goes to the central issue of who should be regulating cybersecurity. "The Commission is not a prudential cybersecurity regulator for all registrants," SIFMA said.
What is the SEC trying to accomplish?
Cybersecurity is only a small part of the more than 50 proposed rules Gensler has out for consideration, nearly 40 of which are in the Final Rule stage.
If there is an underlying theme behind much of Gensler's extensive rulemaking agenda, it is "disclosure." More disclosure about cybersecurity, board diversity, climate change and dozens of other issues.
"Gensler is claiming he wants more transparency and thinks that will protect investors," Mahlet Makonnen, a principal at Williams & Jensen, told me.
"The fear the industry has is that the data collected will put unnessary burdens on industry, does not actually protect investors, and that the data can be used to grow the aggressive enforcement tactics under Gensler," she said.
"The more information they have, the more the SEC can determine if there are any violations of rules and regulations. It allows them to expand enforcement actions. The SEC will say they have broad authority to protect investors, and the disclosures can be used to expand the enforcement actions."
Another long-time observer of the SEC, who asked to remain anonymous, agreed that the ultimate goal of stepped up disclosure is to expand the SEC's enforcement power.
"It will enable the SEC to claim they are protecting investors, and it will enable them to ask Congress for more money," the observer told me.
"You don't get more money from Congress by asking for money for market structure. You get more money by claiming you are protecting grandma."