The Securities and Exchange Commission formally proposed a new set of regulations that would impose sweeping transparency requirements around the cybersecurity operations of publicly traded companies.
SEC Chair Gary Gensler announced the broad contours of the upcoming rules earlier this month, but the proposed regulation released today provides more detail around the new requirements the agency is seeking to place on businesses.
Specifically, the proposed regulations, put out for public comment through May 9, would compel businesses to notify the government when they are hacked and hand over a range of details regarding how they manage and emphasize cybersecurity. The collective requirements “are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”
“We are proposing amendments to require current reporting about material cybersecurity incidents,” the agency wrote in a March 22 Federal Register notice. “We are also proposing to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.”
The disclosures include new or past “material” cybersecurity breaches or incidents, the impact it had on business operations, remedial steps taken and any changes in security policy made as a result of the incident.
The governance disclosures require updates on risk assessment programs, with an emphasis on risks that the company may take on by using outside or third-party services, like cloud providers. Companies will also now be asked about any security audits, business continuity plans and how cybersecurity fits into the company’s broader hierarchy and business strategies.
That includes new reporting around what sort of expertise companies have, with the SEC now asking for details on any members with prior cybersecurity experience or relevant degrees and certifications.
In its background section, the SEC said capital markets now depend on companies using “secure and reliable information systems” and that cybersecurity incidents, particularly those that affect third party cloud and service providers, are increasingly having outsized effects on the economy, national security and critical infrastructure.
Poor cybersecurity at the front end can also lead to a myriad of costs to businesses and stockholders, from business interruption, ransom payments and remediation costs to higher insurance rates, lost or stolen intellectual property, litigation, privacy harms and lowered stock price value.
These are details, the SEC argues, that increasingly concern investors, and public transparency may even prod more robust security approaches at companies who may start to face public embarrassment or loss of shareholder confidence.
“Investors would likely want to understand the financial impacts of cybersecurity risks and previous cybersecurity incidents in order to understand how these risks and incidents affect the company’s financial performance or position, and thus the return on their investment,” the agency wrote.
The proposed rules come after a bipartisan group of Senators wrote to the agency in February to press many of the same ideas and referenced pending legislation.
Gensler has forecasted a busy rulemaking season for the SEC as commissioners seek to transform their oversight priorities and make protection and due diligence from costly breaches or ransomware attacks a higher priority for businesses. The commission has already voted to require investment advisors and investment companies to report cybersecurity incidents and major breaches to the agency, adopt and implement written cybersecurity policies that are “reasonably designed” to address risks and document any breaches or incidents they have suffered in the past two years.