SEC Weighs Cybersecurity Rule for Companies
The Securities and Exchange Commission is considering implementing a rule that would require publicly traded companies to disclose data breaches and other cybersecurity events within four days, according to The Wall Street Journal (subscription).
What’s going on: “Commissioners voted 3-1 to issue the proposal, which could be completed after the agency receives and analyzes feedback from the public. ‘Cybersecurity incidents, unfortunately, happen a lot,’ SEC Chairman Gary Gensler said in prepared remarks, noting that successful attacks affect companies’ finances, operations and reputations. ‘Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.’”
- Companies are already required to tell the market about any risks they believe might be important to investors, but some believe their disclosure has been inconsistent, with some 90% of known 2018 cyber events at public companies having gone unreported, according to the Journal.
Additional requirements: “In addition to reporting major cybersecurity events within four days after uncovering them, companies would be required to provide periodic updates about previous incidents. They would also have to report when ‘a series of previously undisclosed, individually immaterial cybersecurity events has become material in the aggregate.’”
- Companies would also be required to provide disclosure in their annual SEC filings about their cybersecurity risk management practices.
Next steps: The SEC will accept comments on the proposal for at least 60 days before deciding on a final rule.
The NAM’s take: “Cybersecurity is critically important to modern manufacturing,” said NAM Senior Director of Tax and Domestic Economic Policy Charles Crain. “The NAM looks forward to engaging with the SEC to ensure that its proposed disclosure requirements allow manufacturers to accurately report cybersecurity information that is relevant to their operations, material to investors and reported over an appropriate time horizon.”