Investors to Decide Their Level of Risk As SEC Votes on Increased Cybersecurity Breach Disclosures
The vote comes against the backdrop of increased potential cybersecurity threats from Russia, as well as renewed calls from politicians and experts for companies to protect themselves.
“I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting,” SEC chair Gary Gensler said in a statement. “We’ve been requiring disclosure of important information from companies since the Great Depression. The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.”
CNBC reported that an SEC spokesperson noted these proposals had been under consideration for some time, but that the crisis in the Ukraine had given them a “special relevance.”
The SEC’s proposal includes amending the Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident. Further, the proposal would require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate, per the rule’s fact sheet.
“Cybersecurity incidents, unfortunately, happen a lot,” Gensler said in the statement. “They can have significant financial, operational, legal, and reputational impacts on public issuers. Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.’
SEC commissioner Caroline Crenshaw wrote in a statement that the sophistication and frequency of cyberattacks have increased as of late, “and that increase has imposed corresponding economic harms and increased expenses on companies, and their investors. In the most high-profile examples, we have seen outright halts in production and multi-million dollar ransom payments.”
The sole dissenting opinion comes from commissioner Hester Peirce, who wrote in a statement that “the governance disclosure requirements embody an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies.”
“The tension between ensuring that investors get material cybersecurity incident information and protecting the ability of law enforcement to pursue wrongdoers is difficult to resolve appropriately, and I look forward to hearing how commenters would resolve it,” Peirce wrote.
More From GOBankingRates