SEC Postpones Final Rule on Cyber Incident Disclosures
The Securities and Exchange Commission (SEC) was due to issue a final rule that would implement new regulatory requirements for publicly traded companies to disclose material cyber breaches in their regulatory filings within 4 days of the discovery of a breach. The decision has now been delayed until at least October 2023. A draft rule was proposed in March 2022 to improve transparency about cybersecurity incidents at publicly traded companies. The proposed rule called for publicly traded companies to ensure that investors are made aware of any material cybersecurity incidents and disclose information about cybersecurity governance, the level of board expertise in dealing with cybersecurity incidents, and the involvement of upper management in cyber risk. A new rule was also proposed for investment advisers, registered investment companies, and business development companies in February 2022 that requires them to develop, implement, and maintain written cybersecurity policies and procedures to address cybersecurity risks.
Regulatory changes to force publicly traded companies to disclose cyber incidents were seen to be necessary as many were choosing not to disclose these incidents to avoid potential lawsuits and minimize reputational harm. Only one-quarter of ransomware attacks are reported to public authorities, as the reporting of cyber incidents is voluntary. The proposed rules were subject to two comment periods, and more than 175 comments have been submitted in response to the proposed cyber rules. The final rule was expected to be published as early as April 3, 2023; however, the SEC has now stated in a recent update to its rulemaking agenda that its new cyber rules will not be published until at least October 2023. The SEC did not provide a reason for the delay; however, there has been considerable pushback on the proposed rules.
While there has been broad support for the new cyber requirements for improving transparency, the devil is in the detail, especially the 4-day reporting requirement, which many commenters believe would hinder the ability of public companies to stop, investigate, remediate, and defend against cybersecurity incidents. The cybersecurity firm, Rapid7, warned that the 4-day disclosure deadline would mean companies that suffer security incidents would be forced to publicly disclose the incidents before they had been fully contained, and that would tip off hackers and make the companies more vulnerable and could lead to greater harm to investors. Rapid7 requested companies be allowed to delay reporting until a cyber incident has been fully remediated before being required to report the incident.
The U.S. Chamber of Commerce said the SEC is attempting to micromanage corporate cybersecurity programs and the proposed rule would not necessarily protect investors. The SEC was criticized for the 4-day reporting period as it did not give companies sufficient time to evaluate the severity of security incidents. The requirement to disclose whether the board has cybersecurity expertise was also criticized as it could lead to unwieldy and unwanted outcomes, such as giving investors a false level of confidence in the ability of a company to deal with the security incident. In its comments, the Chamber of Commerce said it would be difficult even for NIST to pinpoint what constitutes expertise or experience in cybersecurity that would earn widespread agreement among industry professionals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
