SEC’s Cybersecurity Disclosure Rules Decision Pushed To October 2023

84

Washington Dc: Exterior of the US Securities and Exchange Commission building. American securities and… [+] The Securities and Exchange Commission (SEC) is an independent agency of the United States federal government. The SEC has primary responsibility for enforcing federal securities laws, proposing securities rules, and regulating the securities industry, state stock exchanges and options, and other activities and organizations, including electronic securities markets in the United States.

getty

The Securities and Exchange Commission (SEC) has announced a delay in finalizing proposed cybersecurity rules. Two different sets of rules, one for public companies and regulated entities and another for investment advisers, registered investment companies and business development companies, are expected to be delayed until at least October 2023. The delay has raised questions about the time frame and potential factors affecting extended process.

Despite the initial goal of finalizing the rule by April 2023, the SEC has pushed back the timeline. The reasons for the delay remain unclear, but ongoing debates and discussions about specific features of the rules may be contributing factors. These discussions may include addressing concerns raised by the FBI and other stakeholders, ensuring a balanced approach that respects the needs of law enforcement while promoting transparency and accountability in ways that strengthen the industry.

Improved disclosure and accountability

The proposed cyber security rules aim to improve transparency and accountability in the handling of cyber security incidents by public companies. SEC Chairman Gary Gensler was quoted as saying that “cybersecurity is a growing risk that public issuers must increasingly contend with. Investors want to know more about how issuers are managing these growing risks.”

While Gensler understands that many companies already publish such disclosures, his support comes from the fact that he believes “both companies and investors would benefit from requiring this information in a consistent, comparable and decision-useful way.” First published in March 2022 for public comment, the rules mainly focus on improving cybersecurity requirements for public companies, including:

A four-day timeframe for detecting “material” cybersecurity incidents; Board cybersecurity management requirements; Increased disclosure of cybersecurity committee expertise; Improved risk management, oversight and cybersecurity disclosures; and; Aggregation requirements for incidents that are not individually material.

Continuous disclosure of information on cybersecurity governance, risk management and strategy would also be mandatory. However, concerns have been raised about potentially compromising law enforcement investigations due to the required reporting timeframe.

In addition to the cybersecurity disclosure rules for public companies, the SEC also proposed rules to manage cybersecurity risk in the investment industry. Investment advisers, registered investment companies and business development companies should adopt and implement written cybersecurity policies and procedures. It would also be necessary to report significant cybersecurity incidents to the SEC and maintain appropriate records.

Requiring investors and other key financial stakeholders to understand the value of and maintain a higher level of cybersecurity would create an incentive structure that could do great things to improve practices across the industry.

Solving problems and moving forward

The delay of the SEC’s cybersecurity rules signifies the complexity of addressing cybersecurity challenges and balancing reporting requirements with potential law enforcement implications. Stakeholders in public companies and regulated entities must remain proactive, maintaining strong cybersecurity practices and closely following updates from the SEC. In addition, the SEC should address concerns raised by the FBI and other stakeholders, ensuring that the finalized rules provide clear and practical guidance for effective cybersecurity risk management.

The FBI is said to have concerns about the 4-day disclosure rule. As it stands, companies would be forced to disclose incidents even if there is an active case opened by law enforcement. Concerns raised by the FBI about the potential compromise of law enforcement investigations should be addressed in the proposed rules. The SEC should consider these concerns as it finalizes rules to strike a balance between reporting requirements and the integrity of ongoing investigations.

By encouraging collaboration and implementing comprehensive guidelines, the SEC can improve organizations’ resilience to evolving cyber threats. By requiring investors and key financial stakeholders to take privacy and security more seriously, we are likely to see significant changes across the industry. By providing clear frameworks, the SEC can empower stakeholders to develop comprehensive cybersecurity strategies while aligning with industry best practices.

Comments are closed.