Cybersecurity threats and incidents pose an ongoing and escalating risk to public companies, investors, and market participants, according to the Securities and Exchange Commission (SEC).
On March 9, the Commision proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.
According to the SEC, “cybersecurity incident” as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
SEC Chair Gary Gensler said he’s supporting the proposal because if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.
Gensler said that over the years, the disclosure regime has evolved to reflect evolving risks and investor needs.
“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend,” he said in a statement
According to Gensler, the interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk.
“Investors want to know more about how issuers are managing those growing risks,” he added.
Gensler said that cybersecurity incidents, unfortunately, happen a lot and can have significant financial, operational, legal, and reputational impacts on public issuers.
Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.
A lot of issuers already provide cybersecurity disclosure to investors, Gensler said.
“I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” he said.
The proposed amendments would require current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.
For example, said Gensler, under the proposed rules, companies would disclose information such as: management’s and the board’s role and oversight of cybersecurity risks; whether companies have cybersecurity policies and procedures; and how cybersecurity risks and incidents are likely to impact the company’s financials.
The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.
The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.
“This is critical because such material cybersecurity incidents could affect investors’ decision-making,” Gensler said.
“When companies have an obligation to disclose material information to investors, they must be complete and accurate. Their disclosures also should be timely,” he added.
The proposal would specify when and what information about cybersecurity incidents companies must disclose in a current report, such as on Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident.
It also would require updates in periodic reports to give investors more complete information on previously disclosed, material cybersecurity incidents.
This is the third rule-making project the SEC has proposed that implicates cybersecurity.
Earlier this winter, the Commission voted to propose expanding Regulation Systems Compliance and Integrity (SCI) to certain government securities trading platforms.
“In February, we voted to propose new obligations for registered investment advisers and funds with respect to cybersecurity,” SEC Chair said.
“Going forward, I’ve also asked staff to make additional recommendations for the Commission’s consideration with respect to broker-dealers, Regulation SCI, and intermediaries’ requirements regarding customer notices (Regulation S-P),” he added.
