Responses to the SEC’s Proposed Cybersecurity Reporting Rules
In March, the U.S. Securities and Exchange Commission (SEC) issued proposed rules to require public companies to disclose their cybersecurity risk management, strategy, governance, and incident details with the intention of enhancing cybersecurity beyond the controlled government systems. To read more about the proposed framework in detail, click here.
The comment period for these proposed rules lasted for two months, ending on May 9, 2022. During that time, the SEC received more than 100 comments from various sectors, including legal, government, business, and nonprofit. These comments vacillated from critical to supportive, but many had several concerns about the rule’s provisions. For those curious about the specific apprehensions, our Technology and Cybersecurity team analyzes them, as well as the suggested solutions, in this article.
Most common concerns regarding the SEC’s cybersecurity proposal
Within the comments provided on the proposal, there were eight key issues broached along with solutions to these issues.
1. The four-day incident notice deadline
Many commenters believe being given a mere four days to report a cybersecurity incident was not enough time to truly analyze the incident and complete an accurate report. Worried a harried or slapdash report could yield even more security risks, they proposed more flexible solutions to provide accurate disclosures, like:
- A 30-day reporting deadline;
- Government-permitted reporting delays (as needed);
- A modification in the disclosure framework to ensure state notification statutes are exemplified; and
- Additional time for smaller companies to investigate, report, and fully disclose the situation as needed.
2. Law enforcement and national security exceptions
Feedback for the proposed rules also stated some specific incidents should benefit from delayed reporting exceptions, namely those that need to involve law enforcement or security investigations on a larger scale.
This solution allows those grappling with more challenging and involved cybersecurity incidents to remain compliant with the law while doing what is necessary to complete an investigation and strengthen security to prevent future incidents. It also gives law enforcement more freedom to complete their efforts — and prevents publicity that could tip off the attackers, who could then cover their tracks.
3. The definition of key terms
The SEC uses several words that could be misconstrued, have multiple meanings, or are not succinct enough to require disclosures surrounding them. These words, as pointed out in the comments, include:
- Cybersecurity threat,
- Cybersecurity incident, or
- Information systems.
To solve this and streamline compliance reporting requirements, commentors believe the SEC should utilize the thorough and uniform definitions employed by the National Institute of Standards and Technology (NIST), as well as those used in the Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), SEC’s Release Number 33-11028, and the 2016 Presidential Policy Directive on United States Cyber Incident Coordination.
In addition, the SEC can break down each incident or threat into a tier system to accurately encapsulate the severity each tier entails, better describing the impact on the organization.
4. The disclosure of the board of directors’ cybersecurity expertise
Comments also touched on the requirement to include the experience the members of a company’s board of directors have, finding it unnecessary to disclose and tedious to acquire. The suggestions given included eliminating this narrow requirement (primarily because if a board member(s) does not have heavy cybersecurity experience, that could reflect negatively on the company’s prioritization of cybersecurity) even if the company does, in fact, take cybersecurity seriously.
They also call for “cybersecurity expertise” to be defined using broad criteria so smaller companies can meet the requirement without struggling to find an “expert” just to tick a box — or to allow the requirement to meet with a leader at different level in the company besides the board of directors.
5. The accumulation of immaterial events requirement
Another criticism of the proposed rules targets the requirement to list previously undisclosed immaterial cybersecurity incidents, which many comments revealed to find unnecessary and vague, as an incident to one company may be deemed immaterial but found material to another. The lack of consistency and definition means their solution is to either scratch the requirement or, alternatively, provide more guidance on what these incidents should entail to be included, as well as an example of one — and set a one-year limit, as this requirement does not include one.
6. Security program disclosures
Requiring a company to disclose security program-related protocols and plans, like strategies and risk management tactics would, comments to the proposal argue, make the company more vulnerable to future security breaches — as well as inadvertently divulge protected information. To mitigate this, critics suggest removing the requirement to keep companies (and their security plans) safe, allowing a vague summary of the program to meet the requirement; or introducing a confidentiality clause.
7. Fear of regulatory discord
As cybersecurity becomes a bigger issue for all industries across the country, the SEC’s proposal could contradict other states’ laws and requirements regarding cybersecurity (and their varying definitions, triggers, timings, and more). This could create confusion for companies who want to remain compliant in the event of a cyberattack but are unsure of which requirements they must meet to determine if a breach has, in fact, occurred. Readers of the proposed rule believe creating standardized terms and requirements can help. Plus, the SEC should demonstrate how it will work with the other regulations so companies can align their requirements in a streamlined way.
8. Safe harbor provisions
It seemed to many if a company has already reported a material cybersecurity risk, it is redundant to be required to report it again via the Form 8-K. The provided (short) timeframe, too, could cause issues — in the case of a third-party breach, a company may hurry to complete the form without confirming it to be reliable or accurate, defeating the entire point of the form.
This requirement invited split opinions. Some comments mentioned two “safe harbors” (i.e., double reporting) is a good thing, helping the SEC to promote consistent disclosure. Others, however, stated that including both would be redundant, especially with a tight deadline and the lack of clear definitions for these incidents.
Our perspective on the response to the SEC’s cybersecurity proposal
As the SEC strives to increase transparency and prevent malicious cyberattacks, cybersecurity disclosure requirements will continue to change and strengthen. The number of comments received on this proposed rule indicates that companies across industries are not only invested in what these disclosure requirements mean, but they are willing to do what is necessary (albeit logical) to enhance and standardize the way they protect themselves and disclose risk.
Looking forward, the SEC will take these comments into consideration for the next draft of the proposal.
How we can help
While you wait for the next draft of the proposal, remember to stay vigilant—not only to protect your organization, but also to maintain compliance. To stay up to date, bookmark the SEC’s Cybersecurity news and our Technology and Cybersecurity insight library.
Professional service firms like MGO help verify you are compliant and strengthen your overall cybersecurity — so these incidents are less likely to occur, and if they do, you will be ready to mitigate risks at once. Let us know if you are ready to assess your cybersecurity or get started on a SOC for Cybersecurity.
For insights tailored to your company and industry, schedule a conversation with our Technology and Cybersecurity team today.