SEC proposes new cybersecurity disclosure rules

XBRL filings would help investors evaluate public companies' resilience, incident reporting

SEC proposes new cybersecurity disclosure rules

The Securities and Exchange Commission (SEC) is proposing new rules that would force listed financial companies to report more details on cybersecurity incidents as well as risk policies and board of directors’ cybersecurity expertise to the markets watchdog -- filing all cybersecurity disclosures in machine readable XBRL format.

The new rules, proposed March 9, are designed to "better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents".

Critically, they would  require companies to also provide updates about previously reported cybersecurity incidents; filling in detail about data loss, for example, as well as steps it has taken to improve cyber resilience.

The SEC monitors the activities of more than 28,000 entities in the securities industry, including investment advisers, broker-dealers, and securities exchanges and oversees ~$115 trillion in securities trading.

Stay tuned: Follow The Stack on LinkedIn

The SEC says current disclosure practices are "inconsistent" despite 2018 guidance.

As the SEC proposal notes (page 38): "After filing the initial Form 8-K disclosure [Ed: a report of unscheduled material events], the registrant may become aware of additional material information about the scope of the incident and whether any data was stolen or altered; [this proposal] would allow investors to stay informed of such developments. The registrant also may be able to provide information about the effect of the  previously reported cybersecurity incident on its operations as well as a description of remedial steps it has taken, or plans to take, in response to the incident that was not available at the time of the initial Form 8-K filing."

SEC cybersecurity disclosure rules: More detail on risk sought

New SEC cybersecurity disclosure rules proposed by Chair Gary Gensler
SEC Chair Gary Gensler

"Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs," said SEC Chair Gary Gensler on March 9.

"Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner," Gensler said.

The SEC chairman added: "I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting."

A comment period will remain open for 60 days and it remains to be seen if an industry already under what it sees as significant reporting and compliance pressure -- across everything from ESG to AML -- will lobby to have the sweeping set of SEC cybersecurity disclosure proposals watered down.

The new SEC cybersecurity rules were proposed after the markets watchdog noted that its staff had "observed that most of the registrants that disclosed a cybersecurity incident in 2021 did not describe their cybersecurity risk oversight and related policies and procedures. Some of these registrants provided only general disclosures, such as a reference to cybersecurity as one of the risks overseen by the board or a board committee."

The watchdog added in its 129-page proposal [pdf] that "given that a significant number of cybersecurity incidents pertain to third party service providers, the proposed rules would require disclosure concerning a registrant’s selection and oversight of third party entities as well".

The SEC cybersecurity disclosure proposals come in the wake of security incidents that have materially affected some of the biggest companies out there, from US Honda plants through to the Colonial Pipeline -- with many incidents continuing to happen after rudimentary security hygiene was overlooked.

Federal authorities have also been stepping up pressure on government agencies to improve their cybersecurity risk management. The US’s Cybersecurity and Infrastructure Security Agency (CISA) for example in November 2021 told federal agencies that they had just two weeks to patch 105 known exploited vulnerabilities.

Earlier reports cast a troubling light on poor software patching (unpatched software is one of the top three ways attacks start), with a February 4, 2020 report into the enforcement of DHS directives (CISA is under DHS oversight) by the US Government Accountability Office (GAO) noted that one call by agencies to fix critical flaws in Cisco ASA devices had given affected organisations 45 days. In reality it took six months to fix 50% of impacted devices through patching and two years past the deadline to patch all of them, the GAO reported.

See also: Just 8 of the FTSE 100's CISOs are women