Policy and Legal

Policy and Legal

NAM: SEC Must Make Changes to Cybersecurity Disclosure Rule

By NAM News Room


The Securities and Exchange Commission should rescind certain reporting requirements for cybersecurity incidents in its 2023 final cybersecurity rule, the NAM told the agency.

What’s going on: The NAM supports a rulemaking petition recently submitted by five financial industry groups that asks the SEC to “rescind the Form 8-K (Item 1.05) incident reporting requirements for cybersecurity incidents, as well as the corresponding Form 6-K requirements for foreign private issuers.”

The SEC should also do the following, according to the NAM:

  • Rescind the four-day reporting requirement: The NAM asks the agency to stop mandating that public companies report on cybersecurity incidents within four business days. Instead of this rigid deadline, the NAM supports a return to a voluntary principles-based disclosure regime, whereby companies have more flexibility to disclose significant cybersecurity attacks to provide timely and useful information for shareholders.
  • Allow more flexibility for companies to delay disclosures that could jeopardize national security or law enforcement investigations. The NAM asks the SEC to broaden a narrow exception that requires companies to obtain permission from the U.S. attorney general within four business days to delay public disclosure, an impractical requirement for most manufacturers.

Why the SEC should do it: The current four-business day reporting mandate provides manufacturers “with insufficient flexibility to delay or forgo disclosure to investigate and respond to an incident, work with law enforcement or avoid tipping off attackers,” NAM Managing Vice President of Policy Charles Crain explained.

  • The mandatory disclosure deadline has “increase[d] costs and complexity for businesses” and has the potential to “mislead investors and ultimately create significant risks for shareholders and the broader economy that would eclipse the potential benefits of reporting.”
  • The SEC’s incident reporting mandate also harms shareholders by diverting company resources from efforts to address the impact of a cybersecurity attack.
  • Finally, requiring that companies issue public reports while a cybersecurity incident is ongoing could provide information helpful to the perpetrators or other bad actors.

The last word: “The NAM strongly supports a more flexible approach to cybersecurity reporting, and manufacturers respectfully encourage the SEC to amend its 2023 cybersecurity rule to more appropriately reflect the important concerns of public companies, shareholders, law enforcement and national security agencies,” Crain said.

View More