The Commission’s Cybersecurity Proposals: Who Should Decide on the Disclosures – the SEC or the Issuer?
The Commission proposed new rules on cybersecurity on March 8, 2022. The rules are straight forward, essentially requiring issuers to make certain disclosures regarding their policies and procedures on cybersecurity. The debate among the Commissioners, however, focuses on who should decide what is disclosed, the agency or the issuer.
The proposed rule: The proposed rules would require the company to disclose:
1) Any material incident regarding cybersecurity
2) The firm’s policies and procedures, periodically, to identify and manage cybersecurity risks
3) Management’s role in implementing cybersecurity policies and procedures and
4) The board of director’s cybersecurity experience and oversight
Finally, the proposals would, if adopted, require the firm to include updates on past incidents in current reports regarding cybersecurity incidents.
This is not the first time the Commission has considered cybersecurity issues. Previously, the Division of Corporate Finance issued interpretative guidance regarding an issuers then existing disclosure obligations. Following that 2011 staff guidance, the Commission issued interpretative guidance in 2018 which essentially reinforced the earlier statements from Corp Fin.
Commissioner Comments: Chair Gensler issued a statement supporting the proposals. Many issuers already make certain disclosures regarding cybersecurity, Mr. Gensler noted. Companies and the investing public would benefit from rules requiring certain disclosures in this area, in view of the repeated incidents. In this regard, two points are critical. First, the proposed rules would require “ongoing disclosures on companies’ governance, risk management, and strategy with respect to cybersecurity risks.” This type of disclosure will permit investors to assess the readiness of the firm to deal with issues in this area.
Second, the proposals would require mandatory, material and ongoing disclosure on incident reporting. This is an important point because “incidents could affect investors’ decision-making.” Finally, Chair Gensler has requested the staff to make recommendations with respect to broker-dealers, Regulation SCI and intermediaries’ requirements regarding customer notices.
Commissioner Hester M. Peirce had a different view. While admitting the importance of the topic, Ms. Peirce cautioned that the Commission must view the issue through the lens of its statutory obligations: “We have an important role to play in ensuring that investors get the information these need . . . This proposal, however, flirts with casting us as the nation’s cybersecurity command center . . .” The difficulty with the proposals is that they interfere with questions of business judgement that should be left to the issuer and not be made by the agency. For example, while “the integration of cybersecurity expertise into corporate decision-making likely is a prudent business decision for nearly all companies, whether, how and when to do so should be left to the business. . .”
The bright spot in the proposal, according to Commissioner Peirce, is the incident reporting provision. While this is governed in earlier guidance, the proposed does contain “sensible guideposts” for companies to follow if rooted in materiality.
Comment: The key difference here is not the importance of the topic. Chair Gensler and Commissioner Peirce both agree that cybersecurity is a critical topic for any issuer. Rather, the debate is about approach. Chair Gensler views the disclosure obligations as giving investors important information necessary for decision making. While Commissioner Peirce might agree that the topics would be of interest to investors, the question is should the agency step in and mandate that the information be available or should the issuer decide if its shareholders get the information? Perhaps those penning comments to the proposals should address this point.