Skip to main content
close search
site logo

What the SEC weighed in finalizing the cyber disclosure rules

The SEC’s head of the corporate finance division said the burden of meeting compliance and fears of tipping off threat groups were carefully considered prior to final recommendations.

Published Dec. 18, 2023
David Jones's headshot
Reporter
Close up of Gary Gensler speaking during a senate hearing
WASHINGTON: Securities and Exchange Commission (SEC) Chair Gary Gensler testifies before the Senate Banking, Housing, and Urban Affairs Committee, on Capitol Hill, on Thursday, September 15, 2022. Kevin Dietsch/Getty Images via Getty Images

The leader of the Securities and Exchange Commission’s Division of Corporate Finance downplayed concerns that the agency’s new cybersecurity rules will provide a roadmap to threat groups about their attacks or place an undue burden on security executives. 

Erik Gerding, director of the Division of Corporate Finance, said staff carefully considered those issues as part of their internal deliberations prior to the final rules being adopted in July.

Gerding provided some key takeaways on the final recommendationsin public remarks Thursday, just before the SEC enforcement dates were scheduled to begin. The agency received a wide range of public comment following the March 2022 recommendations, and made several key changes to the final language. 

Gerding highlighted some of the main points in the final recommendations as well as important changes from the original proposals:

The SEC has issued cyber guidance before

The SEC previously issued guidance regarding cybersecurity disclosure, including staff guidance released in 2011 and recommendations last issued in 2018. While the SEC has seen improved compliance since the prior guidance was issued, companies have been inconsistent in their security disclosures, Gerding said.

"The Commission determined that new rules would provide investors with the more timely, consistent, comparable and decision-useful information they need to make informed investment and voting decisions," he said. 

There are more economic threats

The economy is heavily dependent on digital systems, and the increase in remote work, use of digital payments and a greater reliance on third-party providers for IT, including cloud computing services, is adding to the cyber risk climate. 

"In my view, artificial intelligence and other technologies may enhance both the ability of public companies to defend against cybersecurity threats but also the capacity of threat actors to launch sophisticated attacks," Gerding said. 

The SEC sees the potential cost of cybersecurity incidents to companies and their investors rising at alarming rates, Gerding said. All this adds to the need for better disclosures, he said. 

The SEC doesn't want to manage security

Gerding emphasized the SEC is not trying to dictate how companies should manage cybersecurity policies or procedures.

"Public companies have the flexibility to decide how to address cybersecurity risks and threats based on their own particular facts and circumstances,” Gerding said. “Investors have indicated, however, that they need consistent and comparable disclosures in order to evaluate how successfully public companies are doing so.”

Understanding the final rule

The final rule requires the disclosure of “material” cybersecurity incidents, which is more narrow than the original proposal. The SEC factored in compliance costs as well as the company’s need to respond to and remediate incidents. 

But the final rule does not require any specific technical disclosures about how a company will respond to an incident, or details about its system vulnerabilities. 

"The Commission thus balanced the need for disclosure with the risk that disclosing specific technical information could provide a road map that threat actors could exploit for future attacks," he said.

National security concerns

The final disclosure rules allow companies to delay notification based on national security concerns, contingent on a notification from the Department of Justice. The FBI earlier this month issued a policy notice disclosing the process for companies to seek national security delays for disclosing material cyber incidents.

Gerding noted the division issued a Compliance and Disclosure Interpretation that a company seeking a delay based on national security grounds does not automatically make a cybersecurity incident a material issue requiring disclosure. All of the relevant facts surrounding the incident must still be considered. 

The disclosure requirements do not preclude an organization from consulting with the FBI, Department of Justice, the Cybersecurity and Infrastructure Security Agency or another national security or law enforcement agency before determining materiality.

Filed Under: Policy & Regulation

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Policy & Regulation
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell