Estimated reading time: 4 minutes
March 16, 2022 | Jennifer Clarke
SEC proposes mandatory disclosure rules for cybersecurity
Compliance teams can barely move for emerging disclosure rules of late, with the rise of environmental, social and governance (ESG) factors inspiring a push towards transparency from investors and regulators in turn.
This week, it’s the turn of cybersecurity. The US’s Securities and Exchange Commission has proposed amendments to existing Securities Exchange Act 1934 rules, that would enhance disclosures pertaining to cybersecurity risk management, as well as governance and incident reporting for cyber. The proposals build on interpretive guidance published in both 2011 and 2018 which, while improved, lead to “inconsistent” disclosure practices by the SEC’s own admission.
The new rules aim to better inform investors with consistent, comparable and “decision-useful” disclosures. These would allow consumers to evaluate registrants’ exposure to cybersecurity risks, as well as give them to tools to manage and mitigate those risks.
SEC chair, Gary Gensler, has overseen a number of proposals that alter the current disclosure regimes for financial services. Commenting on the most recent proposals, he said:
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor need. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.”
What do the crypto disclosure proposals say?
The SEC’s proposed amendments would require financial services to disclose a plethora of information that was not previously divulged to investors. In particular, it would require firms to make periodic disclosures about:
- The cybersecurity expertise of its Board of Directors (if any) and its oversight of cybersecurity risk
- Information and updates around previously reported cybersecurity incidents
- The role of the management team in implementing cybersecurity policies and procedures
- A registrant’s policies and procedures to identify and manage cybersecurity risks
As well as this, the SEC has proposed to amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after becoming aware of that incident. Moreover, it would amend Regulation S-K to require registrants to disclose information about previous cybersecurity incidents.
What happens next?
The proposed rules will now go to a period of public comment, which lasts for 60 days following their publication on the SEC’s website.
How long has it been since you flicked through a powerpoint presentation about cybersecurity, only to tell your company that it was complete. Or perhaps your company employs something more interactive? A training day or breakout sessions? Cybersecurity isn’t fascinating for everyone, but it does affect everyone – and it’s becoming more important to investors and regulators alike.
The SEC’s proposals stand to clearly demonstrate that cybersecurity is not an issue that can be brushed under the carpet. Nor is it an area that should simply be left to IT or HR. Powerpoints are out – the board is in. The SEC clearly expects that cybersecurity is an issue that is managed and discussed by the Board of Executives. Firms that fail to see it this way will likely feel the sharp end of emerging regulation.
As well as this, the latest rules from the SEC reflect a shift in the general mood for financial services. It is a mood that is moving away from traditional investment tactics (tell the people what they need to know and nothing more) to what they want to know. Investors and consumers no longer want to be spoon fed basic financial information – they want the nitty gritty. Are you investing in fossil fuels? How many diverse members are on your board? What’s your plan for net-zero? How will you protect my data?
Like it or not – investors are involved in finances like never before. If firms won’t share the relevant information, they’ll look elsewhere. After all, there’s a swathe of modern challenger and neo-banks that not only share information, but actively encourage their consumers to get involved.
The SEC is making clear attempts to keep up with the tide of change for financial services – to give consumers what they want and to ensure that investors have the information they need to make educated investment decisions. The difficulty comes in the practicality of these changes. Firstly, do firms have the relevant information to present to the regulators? Secondly, do they have the time to be drawing up periodic disclosures alongside every other reporting requirement and audit?
How can firms get ready for emerging cyber disclosure rules?
For some – especially the more technology advanced – new disclosure rules will be a walk in the park. For others, the SEC’s proposals could mean lack of data, staff or resources become a real problem – rather than just a thorn in their side. The easiest way to manage pending disclosure requirements is three-fold:
- Prepare: anticipate regulation to come, put the infrastructure in place ahead of time, strengthen existing disclosure controls and procedures around cybersecurity and ensure cyber is a board issue – not just for the IT team.
- Assess: firms should consider whether to disclosure previous material cybersecurity incidents, or future material incidents in real time under Form 8-K.
- Invest in technology: the only way to effectively manage regulatory change and reporting is through RegTech, which can do in an instant what would take a whole team weeks to do.
If emerging disclosure rules are giving you a headache, speak to CUBE.