The Securities Exchange Commission (SEC) announced a delay in finalizing proposed cybersecurity rules. The two different sets of rules, one for public companies and regulated entities and another for investment advisers, registered investment companies, and business development companies are expected to be delayed until at least October 2023. The delay has raised questions about the timeline and potential factors influencing the extended process.
Despite an initial target of finalizing the rules by April 2023, the SEC has postponed the timeline. The reasons behind the delay remain unclear, but ongoing debates and discussions regarding specific features of the rules could be contributing factors. These discussions may involve addressing concerns raised by the FBI and other stakeholders, ensuring a balanced approach that respects the needs of law enforcement while promoting transparency and accountability in ways that strengthen the industry.
Enhanced Disclosure And Responsibility
The proposed cybersecurity disclosure rules aim to enhance transparency and accountability in public companies’ handling of cybersecurity incidents. SEC Chair Gary Gensler was quoted stating that, “cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.”
While Gensler understands many companies already make these disclosures, his support comes from the fact that he believes, “companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.” First released in March 2022 for public comments, the rules largely focus on enhancing cybersecurity requirements for public companies including:
- Four-day disclosure timeframe for “material” cybersecurity incidents;
- Requirements around Board governance of cybersecurity;
- Increased disclosures on Board cybersecurity expertise;
- Enhanced disclosures on risk management, oversight, and cybersecurity; and;
- Aggregation requirements for incidents that are non-material individually.
Ongoing disclosures about cybersecurity governance, risk management, and strategy would also be mandatory. However, concerns have been raised regarding the potential compromise of law enforcement investigations due to the required reporting timeframe.
In addition to the cybersecurity disclosure rules for public companies, the SEC has also proposed rules for cybersecurity risk management in the investment industry. Investment advisers, registered investment companies, and business development companies would need to adopt and implement written cybersecurity policies and procedures. Reporting significant cybersecurity incidents to the SEC and maintaining proper records would also be required.
Requiring investors and other key financial stakeholders to understand the value of, and maintain, a higher level of cybersecurity would create a trickle-down incentive structure that could do great things to improve practices industry-wide.
Addressing Concerns and Moving Forward
The postponement of the SEC’s cybersecurity rules signifies the complexity of addressing cybersecurity challenges and balancing reporting requirements with potential law enforcement implications. Stakeholders in public companies and regulated entities must remain proactive, maintaining strong cybersecurity practices, and closely monitoring updates from the SEC. Additionally, the SEC needs to address concerns raised by the FBI and other stakeholders, ensuring that the finalized rules provide clear and practical guidance for effective cybersecurity risk management.
It’s been stated that the FBI has concerns about the 4-day disclosure rule. As it stands, companies would be compelled to disclose incidents even if there is an active case open by law enforcement. Concerns raised by the FBI regarding the potential compromise of law enforcement investigations in the proposed rules need to be addressed. The SEC should consider these concerns while finalizing the rules to strike a balance between reporting requirements and the integrity of ongoing investigations.
By fostering collaboration and implementing comprehensive guidelines, the SEC can enhance the resilience of organizations against evolving cyber threats. By requiring investors and key financial stakeholders to take privacy and security more seriously, it’s likely we will see significant changes industry-wide. By providing clear frameworks, the SEC can empower stakeholders to develop comprehensive cybersecurity strategies while aligning with industry best practices.
Read the full article here