SEC Finalizes Cybersecurity Disclosures Rule
After an aggressive campaign by the NAM, the U.S. Securities and Exchange Commission has scaled back a damaging cybersecurity proposal that would have been deeply problematic for manufacturers. Yet, the final regulations still impose compliance burdens on publicly traded companies. Here’s what manufacturers can expect now that the rule is finalized.
The background: Last year, the SEC proposed a new set of cybersecurity disclosure requirements for public companies. The centerpiece of the rule was a mandate to disclose cybersecurity incidents to the public within four days. The proposal also would have required detailed reporting on companies’ policies and procedures for responding to cybersecurity threats.
The problem: Requiring detailed public disclosures about cybersecurity incidents and processes could provide a roadmap to potential hackers, and sharing information about ongoing incidents could compromise efforts to stop an attack.
The NAM response: The NAM urged the SEC to make commonsense adjustments to protect manufacturers from attacks and give companies the flexibility to respond to cybersecurity incidents appropriately.
The result: The final rule is more tailored than the initial proposal, reducing the risk that companies will be forced to expose sensitive information. But its requirements still impose new compliance burdens on manufacturers.
Incident reports: The rule still requires companies to report cybersecurity incidents publicly within four days, but companies will be able to request that the attorney general grant a 30-day extension to protect public safety or national security—a top priority for the NAM. The extension could be lengthened by an additional 30 days (for public safety) or 90 days (for national security) if warranted.
- Thanks to the NAM’s intervention, the SEC will require the disclosure of only limited information about an attack’s circumstances and impact, whereas the original proposal would have forced companies to disclose extensive details, including potentially sensitive data.
- In addition, a provision requiring companies to track, aggregate and disclose the impact of minor cybersecurity incidents—which the NAM opposed—was struck from the final rule.
Risk management and governance: Companies will be required to disclose information on cybersecurity oversight by their board and management, as well as how cybersecurity is incorporated into their overall risk management strategy.
- These disclosures must include “sufficient detail for a reasonable investor to understand” a company’s cybersecurity risk management—but will no longer include information on a company’s specific prevention and detection activities.
- A provision effectively requiring companies to have a cyber expert on their board, which the NAM strongly opposed, was not included in the final rule.
Our take: “The NAM is committed to a smart, flexible disclosure approach that ensures manufacturers—and their customers and shareholders—can stay protected from cybersecurity threats,” said NAM Senior Director of Tax and Domestic Economic Policy Charles Crain.
- “Manufacturers were glad to see that the SEC made some adjustments to its rule, but more must be done. The SEC and the Department of Justice must grant companies the flexibility to delay incident reporting to prevent threats to public safety and national security.”
Get protected: Every manufacturer should have the tools they need to protect themselves against cyberattacks. Check out NAM Cyber Cover—an exclusive cybersecurity and risk mitigation program for NAM member companies and organizations.