July 21, 2023
The Securities and Exchange Commission (SEC) on July 26, 2023, is set to deliberate over a proposal, first introduced in March 2022, to mandate more prompt disclosure of material cybersecurity breaches by public companies. This initiative addresses investor concerns about learning of significant cyberattacks through news channels before official company announcements and other reporting inconsistencies.
One notable example of a cybersecurity breach concealed for an extended period was the Uber data breach that occurred in 2016 but was only publicly disclosed in late 2017. In this instance, hackers stole the personal data of 57 million Uber users and 600,000 drivers. Rather than promptly reporting the incident, Uber paid the hackers $100,000 to delete the data and keep the breach quiet.
The proposed rule, if ratified, would ensure increased transparency in cybersecurity reporting. More specifically, public companies would be obliged to report any material cybersecurity incident within four days through Form 8-K disclosures.
Additionally, companies would be expected to provide regular updates about their cybersecurity risk management policies and any updates on previously disclosed incidents, among other proposed requirements.
While it remains uncertain whether the SEC will adopt these rules as stipulated in the proposed Release No. 33-11038 - Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, business groups and law firms have expressed their concerns over various aspects of the proposed requirements, including the stringent four-day reporting period.
Notably, the SEC had initially planned to adopt these rules during the spring. However, it deferred this plan to the fall in its most recent regulatory agenda, which is updated biannually. This decision caught some observers by surprise, with many expecting the decision to be taken in October.
At a conference on July 17, SEC Chair Gary Gensler addressed a question about the timing of various rulemakings, stating, "Sometimes things go a little faster; sometimes things go a little slower." He added that the SEC usually adopts or proposes rules when the staff and commissioners are ready.
Cybersecurity, being a top priority, has public companies keenly following this rulemaking process. Brown noted the anticipation among public companies regarding whether the SEC has thoughtfully considered the substantial comment letters and the practical implications of the proposed rules.
However, certain conflicts have been identified between the SEC's proposal and the policy goals established by Congress. For instance, the U.S. Chamber of Commerce, in a comment letter, argued that the SEC's proposed rules clash with the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which mandates certain critical infrastructure entities to report applicable cyber breaches to the Cybersecurity and Infrastructure Security Agency within 72 hours. The Chamber also expressed concern that public disclosure of a company’s cybersecurity policies and practices could potentially offer a blueprint to criminals and adversarial nations to launch cyberattacks.
Meanwhile, the proposed rules have attracted the attention of the accounting and auditing professions. The AICPA has recommended its Cybersecurity Risk Management Reporting Framework, developed in 2017, to aid companies in managing and reporting cybersecurity risks and incidents. Simultaneously, the Center for Audit Quality (CAQ) has urged the SEC to provide clear definitions of cybersecurity incidents and threats, suggesting the use of risk-based terms such as confidential, non-public, or personally identifiable.
In the upcoming July 26 meeting, the SEC will also consider two additional rulemaking items. The first pertains to conflicts of interest associated with the use of predictive data analytics by broker-dealers and investment advisers. The second involves amendments to the exemption for internet advisers from the prohibition against registration under the Investment Advisers Act of 1940.
This significant development in SEC regulation stands to redefine how public companies handle and report cybersecurity breaches, affecting numerous stakeholders across various sectors.
Framework Security assists Registered Investment Advisors (RIAs) meet the evolving requirements of the SEC's Breach Reporting Rules and beyond. Contact us with questions regarding how this proposal may impact your organization.