What the SEC weighed in finalizing the cyber disclosure rules
The leader of the Securities and Exchange Commission’s Division of Corporate Finance downplayed concerns that the agency’s new cybersecurity rules will provide a roadmap to threat groups about their attacks or place an undue burden on security executives.
Erik Gerding, director of the Division of Corporate Finance, said staff carefully considered those issues as part of their internal deliberations prior to the final rules being adopted in July.
Gerding provided some key takeaways on the final recommendations, in public remarks Thursday, just before the SEC enforcement dates were scheduled to begin. The agency received a wide range of public comment following the March 2022 recommendations, and made several key changes to the final language.
Gerding highlighted some of the main points in the final recommendations as well as important changes from the original proposals:
The SEC has issued cyber guidance before
The SEC previously issued guidance regarding cybersecurity disclosure, including staff guidance released in 2011 and recommendations last issued in 2018. While the SEC has seen improved compliance since the prior guidance was issued, companies have been inconsistent in their security disclosures, Gerding said.
“The Commission determined that new rules would provide investors with the more timely, consistent, comparable and decision-useful information they need to make informed investment and voting decisions,” he said.
There are more economic threats
The economy is heavily dependent on digital systems, and the increase in remote work, use of digital payments and a greater reliance on third-party providers for IT, including cloud computing services, is adding to the cyber risk climate.
“In my view, artificial intelligence and other technologies may enhance both the ability of public companies to defend against cybersecurity threats but also the capacity of threat actors to launch sophisticated attacks,” Gerding said.
The SEC sees the potential cost of cybersecurity incidents to companies and their investors rising at alarming rates, Gerding said. All this adds to the need for better disclosures, he said.
The SEC doesn’t want to manage security
Gerding emphasized the SEC is not trying to dictate how companies should manage cybersecurity policies or procedures.
“Public companies have the flexibility to decide how to address cybersecurity risks and threats based on their own particular facts and circumstances,” Gerding said. “Investors have indicated, however, that they need consistent and comparable disclosures in order to evaluate how successfully public companies are doing so.”
Understanding the final rule
The final rule requires the disclosure of “material” cybersecurity incidents, which is more narrow than the original proposal. The SEC factored in compliance costs as well as the company’s need to respond to and remediate incidents.
But the final rule does not require any specific technical disclosures about how a company will respond to an incident, or details about its system vulnerabilities.
“The Commission thus balanced the need for disclosure with the risk that disclosing specific technical information could provide a road map that threat actors could exploit for future attacks,” he said.
National security concerns
The final disclosure rules allow companies to delay notification based on national security concerns, contingent on a notification from the Department of Justice. The FBI earlier this month issued a policy notice disclosing the process for companies to seek national security delays for disclosing material cyber incidents.
Gerding noted the division issued a Compliance and Disclosure Interpretation that a company seeking a delay based on national security grounds does not automatically make a cybersecurity incident a material issue requiring disclosure. All of the relevant facts surrounding the incident must still be considered.
The disclosure requirements do not preclude an organization from consulting with the FBI, Department of Justice, the Cybersecurity and Infrastructure Security Agency or another national security or law enforcement agency before determining materiality.