Cybersecurity Disclosures Would Be Strengthened Under New SEC Proposals

Disclosures of public company cybersecurity measures and hacks would be strengthened if new rules proposed by the Securities and Exchange Commission today are approved.

SEC Chair Gary Gensler said the proposals, if adopted, would strengthen the ability of investors to evaluate cybersecurity incidents and reporting of precautions by the companies they own by making consistent, comparable, reliable, and decision-making information available.

He said cyber threats pose significant financial, legal, operational, and reputational risks for firms.

SEC Chief Economist and Director of the Division of Economic and Risk Analysis Jessica Wachter said the proposals would lower search costs for investors and making it easier to compare cyber security comparisons among companies.

Under the proposals, a company would be required to disclose a material cybersecurity incident within four days after the firm had determined it occurred. The business would also be required to make periodic disclosures of additional information about the incident.

Additionally, a company would have to disclose management’s and the board’s role and oversight of cybersecurity risks; whether it has cybersecurity policies and procedures; and how cybersecurity risks and incidents are likely to impact the company’s financials; and whether board members have cybersecurity expertise.

Democratic Commissioner Caroline Crenshaw said the new rules have become vital as CEOs have identified cyber incidents as the number one threat to business growth in coming years.

She claimed currently the “who what when and where of disclosures” is unreliable.

Opposing the proposal, the sole Republican member on the Commission Hester Peirce charged it flirts with designating the SEC as a cybersecurity command center.

“We’re not the regulators with the necessary expertise,” said Peirce.

She also objected the proposals would lead to an unprecedented micromanagement of boards by the SEC by requiring companies to disclose the cybersecurity knowledge of board members.