The U.S. Securities and Exchange Commission (SEC) proposed, on March 9, 2022, amendments to its rules that are intended to enhance and standardize disclosures by public companies regarding cybersecurity risk management, strategy, governance, and incident reporting. The proposed amendments aim to inform investors about a registrant’s risk management, strategy, and governance, and to provide timely notification to investors of material cybersecurity incidents.
The SEC’s announcement included a statement from SEC Chair Gary Gensler. He said, in part: “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”
- The SEC proposed, on March 9, 2022, new rules governing disclosures related to cybersecurity risks.
- They would include both disclosures of cybersecurity risk management plans and reports on actual incidents.
Detail on Proposed Cybersecurity Disclosures
The proposed amendments would require current reporting about material cybersecurity incidents and periodic updates about previously reported cybersecurity incidents. They also would require periodic reporting about: the registrant’s policies and procedures regarding identifying and managing cybersecurity risks; how the registrant’s board of directors is exercising oversight of cybersecurity risk; how management is assessing and managing cybersecurity risk; and how management is implementing cybersecurity policies and procedures. The proposal also would require annual reporting or certain proxy statement disclosures about the cybersecurity expertise, if any, among members of the registrant’s board of directors.
Additional Comments From SEC Chair Gary Gensler
SEC Chair Gary Gensler issued a detailed statement on the proposed amendments. Some of his comments were excerpted in the SEC press release, as quoted above. Additional highlights are presented below.
“We’ve been requiring disclosure of important information from companies since the Great Depression. The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.”
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs.”
“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.”
“Cybersecurity incidents, unfortunately, happen a lot. They can have significant financial, operational, legal, and reputational impacts on public issuers. Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.”
“Today’s release would enhance issuers’ cybersecurity disclosures in two key ways.”
“First, it would require mandatory, ongoing disclosures on companies’ governance, risk management, and strategy with respect to cybersecurity risks.”
“Second, it would require mandatory, material cybersecurity incident reporting. This is critical because such material cybersecurity incidents could affect investors’ decision-making.”
Dissenting Statement From SEC Commissioner Hester M. Peirce
SEC Commissioner Hester M. Peirce issued a dissenting statement on the proposed amendments. Highlights are presented below.
“We have an important role to play in ensuring that investors get the information they need to understand issuers’ cybersecurity risks if they are material. This proposal, however, flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us.”
“Our role with respect to public companies’ activities, cybersecurity or otherwise, is limited. The Commission regulates public companies’ disclosures; it does not regulate public companies’ activities.”
“The proposal, although couched in standard disclosure language, guides companies in substantive, if somewhat subtle, ways. First, the governance disclosure requirements embody an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies.”
“Such precise disclosure requirements look more like a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate.”
“[W]hile cloaked as a disclosure requirement, the proposed rules pressure companies to consider adapting their existing policies and procedures to conform to the Commission’s preferred approach, embodied in eight specific disclosure items.”
“The substance of how a company manages its cybersecurity risk, however, is best left to the company’s management to figure out in view of its specific challenges, subject to the checks and balances provided by the board of directors and shareholders.”
“The proposal’s bright spot is the rules relating to the reporting of cybersecurity incidents. I am not convinced that the rules are necessary in light of the Commission’s 2018 guidance, which provided our views about public companies’ disclosure obligations under existing rules. Nevertheless, the proposed rules seem to provide sensible guideposts for companies to follow in reporting material cybersecurity incidents.”