New cybersecurity rules from the Securities Exchange Commission (SEC) were adopted in July, and many are set to take effect on Dec. 15. The new rules are intended to enhance and standardize disclosures regarding cybersecurity risk management, governance, and incident reporting to ensure greater transparency for investors and the government. However, pushback on the rule’s cyber incident reporting requirements are eclipsing the other important and potentially beneficial components of the rule.

In comments to the SEC, the Cybersecurity Coalition expressed its overall support for the SEC’s efforts to establish consistent cybersecurity transparency practices for public companies. However, the Coalition also raised concerns with the proposed incident reporting requirements, which were enshrined in the final rule. Although the Coalition views the approach to incident reporting as problematic, the other requirements of the final rule have the potential to create a helpful balance between cybersecurity and transparency. 

Overview of the rule

For a more detailed analysis of SEC cybersecurity rules, check out this memo. Below are three key actions public companies must take under the recently updated rules: 

• Incidents – Disclose material cybersecurity incidents on Form 8-K within four business days of determining the incident is material, and disclose any material updates on an ongoing basis. These reports become publicly accessible through SEC’s EDGAR system.
• Risk management – Disclose the processes for assessing, identifying, and managing material risks from cybersecurity threats in an annual report on Form 10-K.
• Governance – Disclose the board of directors' oversight and management's role in assessing and managing material cybersecurity risk in an annual report on Form 10-K.

Legitimate concerns overshadowing potential positives

In general, the Coalition believes that the required disclosures for cyber risk management and governance will prove beneficial to promoting transparency to investors on these increasingly important aspects of business operations. Additionally, this transparency should spur investors to support strong security programs, providing an incentive for public companies to maintain cybersecurity governance and procedures in line with industry best practices and standards.

However, among the three categories of disclosures, incident reporting has faced the most visible opposition from both public and private sectors. This is largely due to concerns that the reporting requirements will force companies to publicly disclose cyber incidents before they have been mitigated, and may conflict with other regulatory obligations and incident response best practices. This risks harm to public companies, their investors, and individual consumers. The Coalition agrees with these concerns, underscores the need for harmonization of cyber incident reporting regimes where possible, and calls on the SEC to amend the incident reporting requirement with a delay in disclosures of uncontained incidents.

Due to the controversial nature of the incident reporting disclosure, Representative Andrew Garbarino (R-NY) and Senator Thom Tillis (R-NC) have recently introduced companion resolutions that would use the Congressional Review Act to reject the SEC’s latest security rules. However, if passed, the resolution would overturn not only the contentious incident reporting aspect but also other potentially beneficial provisions within the regulation. 

Rather than dismantling the entire regulation, we encourage policymakers and regulators to mitigate overlapping or contradictory reporting requirements that unnecessarily burden or create risk to organizations. The Coalition is otherwise generally supportive of the effort to enhance the transparency of organizations’ security risk management and governance processes, which can prompt market competition based on security and strengthen the technology ecosystem. 

Don’t throw the cyber baby out with the cyber bathwater

In light of the SEC cybersecurity rules as well as the recent charges against SolarWinds and its Chief Information Security Officer, it’s clear that SEC is making cybersecurity a regulatory and enforcement priority. As a result, companies and individual executives should carefully evaluate their cybersecurity practices and responsibilities to reflect this heightened focus. 

To meet these expectations, companies and executives should work to ensure that their public disclosures accurately convey material risks and are not generalized. This necessitates effective collaboration between security, legal, and corporate communication teams to adapt cyber incident response plans and reporting processes to align with these obligations. By doing so, companies can not only strengthen their internal cybersecurity controls and measures, but effectively convey their commitment to transparency and compliance.