The SEC Plays Hardball With New Cybersecurity Rule
The Securities and Exchange Commission (SEC) just toughened its stance on public companies over cybersecurity. On July 26, it issued its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule. Originally proposed last year, it applies to publicly traded companies, mandating that they notify the SEC within four days of a material cybersecurity breach.
This is the latest in a slow push to encourage security incident disclosures that began in 2011 with staff guidance at the SEC. It said that various Commission regulations might force cybersecurity incident disclosures, even though no explicit rule existed for them. 2018 saw the Commission issue interpretive guidance, highlighting that companies could disclose cybersecurity incidents. However, these disclosures were still patchy and made in different places with varying levels of detail.
The new rule aims to change that by explicitly dictating consistent requirements for security incident disclosure. It requires companies to fill out Form 8-K, a popular disclosure form that then becomes available on the Commission’s website.
The disclosure includes a brief description of the incident, its scope when the incident was discovered, whether it is ongoing, and the effect on operations. The rule also mandates that companies describe their cybersecurity risk assessment processes and outline how the board and management oversee those risks.
Reaction
Not everyone was a fan of the latest rule. Melissa MacGregor, deputy general counsel and corporate secretary at the Securities Industry and Financial Markets Association (SIFMA), worried that the rule asked for too much too soon. The rule “mandates public disclosure of considerably too much, too sensitive, highly subjective information, at premature points in time, without requisite deference to the prudential regulators of public companies or relevant cybersecurity specialist agencies,” she said in a statement to the Washington Post.
Writing for the Center for Cybersecurity Policy and Law, Harley Geiger, counsel at law firm Venable LLP also warned about the short disclosure window. “As a general matter of best practice, ongoing cyber incidents should be kept quiet until they are contained and the attack vector is closed off, but the SEC’s rule will change this playbook,” he said.
The SEC had tempered the rule a little, narrowing the scope of the disclosure to just the material details and size of the security incident and any material impact on the company. It also gave the Attorney General the power to delay disclosure by 30 days.
“However, neither of these changes addresses concerns that public disclosure of uncontained or unmitigated cyber incidents creates a risk that attackers will be alerted to unpatched vulnerabilities and cause further harm,” Geiger said. “The AG delay is likely to be exercised only in exceptional cases.”
Even those in the security sector had their reservations. Tara Wisniewski, EVP for advocacy, global markets, and member engagement at (ISC)2, the security non-profit governing the CISSP certification, was concerned that the rule was not detailed enough.
“While we support the fundamental principles of public disclosure to inform and protect shareholders, customers, and other constituents, the SEC ruling is worryingly vague,” Wisniewski reportedly said. “It poses more questions than answers and may create ambiguity for cyber professionals.”
Other Proposals
Industry groups also worry about several aspects of the SEC’s cybersecurity and risk management rules. In June, The Securities Industry and Financial Markets Association (SIFMA) fretted about the confusion between some other rules in the SEC’s pipeline.
Disclosure of some kind or other runs through these other proposed rules. One would extend Regulation S-P, which covers customer data privacy for broker-dealers, investment companies and registered advisers. The rule would require them to adopt written cybersecurity incident response plans, including breach disclosure notifications, within 30 days. It also expands the scope of the Regulation, extending it to cover transfer agents and broadening the definition of customer information to include data collected internally and from third parties.
Other rules focus on cybersecurity risk management, including Rule 10, which would apply to broker-dealers and participants in securities swaps. This requires them to notify the Commission of any security breaches immediately while also regularly assessing and documenting cybersecurity risks and notifying the public of both risks and breaches on their websites. They would also have to implement and document cybersecurity controls and create an incident response plan.
The SEC has a separate set of proposed risk management rules for advisers and funds, expanding existing risk disclosure and record-keeping rules to include cybersecurity risks and policies. They would force advisers and investment funds to include cybersecurity risk disclosures on form ADV, which is the go-to disclosure form for other things like financial risk and conflicts of interest. Documented cybersecurity policies would also become mandatory.
“The Commission has not provided guidance in an actionable format concerning the considerable overlap between the Regulation S-P Proposal with both the Rule 10 Proposal and related proposals,” SIFMA said, warning that the SEC should harmonize the S-P proposal with the others.
Finally, the SEC is pursuing changes to the SEC’s 2014 Regulation Systems Compliance and Integrity rules, which it issued to ensure the security of trading systems. The amendments would expand the regulations to cover broker-dealers, repositories holding securities swaps data, and more clearing agencies. It would also impose more requirements, including overseeing the security and business continuity of third parties such as cloud service providers and adopting system access controls (which, surprisingly, were not required under the SCI).
The SEC’s document for the cybersecurity rule passed in July included concessions in response to some comments, along with some solid ripostes for others. Whether or not people feel that the rule went too far, the fact that the Commission is stepping up with serious regulations to clarify a growing cybersecurity risk is laudable. In fact, the biggest question about the rule is why it took so long.
