SEC Cybersecurity Changes, Part 1, Background
The Securities and Exchange Commission (SEC) is aiming to radically impact the reporting requirements around cybersecurity for SEC Registrants. The comment period closed last week and these changes could take effect as early as June of this year. Many Registrants will find that they are not prepared for these new requirements involving cybersecurity risk management, strategy, governance, and incident reporting that will require fast disclosure of detailed information regardless of the status of the investigation.
While some reporting and disclosures are already required, these rule changes make it plain that the Commission values transparency above all other considerations in order to maintain the confidence of public investors. They are prioritizing investors’ ability to effectively manage risk over the possible damage to the reputation of the Registrant or their investigation into the incident. This is the first article of a series exploring the proposed rules along with the possible consequences, both intended and unintended, and what this means for firms trying to recover from cybersecurity incidents.
Before we get into the proposed changes, the SEC sets the backdrop for the proposed changes by highlighting what the Commission views as existing provisions that “may require disclosure about cybersecurity risks, governance, and incidents.” For this, they draw from the 2018 Interpretive Release (2IR).
The Commission points out these considerations as a way to highlight that cybersecurity is not a new consideration in reporting and transparency. This is, most likely, to show that the new proposed rules are only an extension and clarification of previous intentions. What has clearly changed, however, is the increasing pressure on firms to ensure that their cybersecurity risk management is sufficient and at least on par with peers. Effective cybersecurity risk management will increasingly become a competitive advantage as the required reports start to be published. There will be dirty laundry aired about cybersecurity and it is up to the Registrants to make the appropriate investments to ensure that does not happen to them.
Cybersecurity for the Middle Market
2 年That last sentence is where the rubber meets the road. Curious if you have thoughts on which rules will make it through, which will be removed, and which will be seriously watered down due to the comments from industry groups. Looking forward to the next article, hopefully you have room to explore what it takes to meet the bar as it was proposed. In my mind, even if the bar is lowered, what was proposed remains a good goal to aim for (you know, shoot for the stars, land on the moon kind of thing).