The Securities and Exchange Commission on July 26, 2023, will consider adopting a March 2022 proposal that would require public companies to disclose material cybersecurity breaches in a more timely manner. This is in part intended to address complaints by investors that they sometimes find significant cyberattacks in the news first, among other reporting problems.
A prominent example is when Yahoo kept information about a major cyber breach quiet for two years until its 2016 sale to Verizon. The 2014 attack had affected 500 million user accounts.
If the proposal is adopted, the rule will increase the transparency of cybersecurity reporting. In particular, public companies will have to report within four days of the determination that a cybersecurity incident was material on Form 8-K disclosures.
Companies must periodically report information about policies and procedures to manage cybersecurity risks as well as updates about previously disclosed incidents, among several proposed requirements.
It is unclear whether the SEC will adopt the rules as described in proposed Release No. 33-11038, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, but comment letters from business groups and law firms expressed concerns on a host of proposed requirements, including the four-day reporting period.
In the meantime, the SEC previously planned to adopt the rules in the spring but had pushed back to the fall in its most recent regulatory agenda that is updated twice a year. And some may have been slightly caught off guard that it is happening next week.
“This comes as a little bit of a surprise seeing how the SEC previously moved this to October in their Reg Flex agenda,” said Dave Brown, a partner with Alston & Bird LLP in Washington.
Separately, SEC Chair Gary Gensler, at a conference on July 17, answered a question about the timing of various rulemakings.
“So, we put some estimates [in the Reg Flex agenda] as to when things will happen, and we’ve just put it in two buckets, April and October. And you will see that the next one that comes out will be October and April. Sometimes things go a little faster; sometimes things go a little slower.”
Gensler added that the SEC adopts or proposes rules when the staff is ready with its recommendations and when the commissioners are also ready with the rulemaking.
Public companies are paying close attention to this particular rulemaking as cybersecurity is a priority, if not the most important issue.
“Public companies are anxious to see if the SEC thoughtfully accounted for the substantive comment letters and the practical implications of the proposed rules,” Brown said. “When proposed, both cybersecurity lawyers and experts and securities lawyers wondered how much practical feedback or understanding the SEC had in cybersecurity and cybersecurity incidents in proposing these rules.”
For example, in a comment letter, the U.S. Chamber of Commerce, noted that the proposal conflicts with policy goals established by Congress, including in the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This requires certain critical infrastructure entities to report confidentially applicable cyber breaches to the Cybersecurity and Infrastructure Security Agency within 72 hours.
“The SEC’s proposed rules leave businesses in the unenviable position of facing conflicting cybersecurity reporting directives from several U.S. agencies,” the U.S. Chamber wrote.
Moreover, the powerful business group wrote that the public disclosure of a company’s cybersecurity policies and practices as proposed could provide a roadmap for criminals and hostile nations to attack businesses.
Asked about which particular proposed requirements Brown feels must be revised, he said there are several.
“But I think one of the most pressing requirement that needs to change is the requirement to file an 8-K within four business days of determining materiality without any exceptions, such as if the incident is ongoing or a law enforcement exception” he said. This means that law enforcement has asked the company not to publicly disclose it.
“This could actually harm the company, make the incident worse and/or harm investors,” he said.
Meanwhile, this proposal is of interest to not only public companies but also to the accounting and auditing profession.
The AICPA wrote in a comment letter that a framework developed in 2017 will help companies in managing and reporting cybersecurity risks and incidents.
In recommending Cybersecurity Risk Management Reporting Framework, which is available for free, the AICPA said that it is critical that all market participants work towards a comprehensive global reporting solution that gives insight into how a company handles cybersecurity matters.
The Center for Audit Quality (CAQ), an AICPA affiliate which represents accounting firms that audit public companies, wrote that clear definitions of cybersecurity incidents and cybersecurity threat are needed.
For example, both definitions refer to the scope of information to be considered for either an incident or a threat to be “any information” within an information, and CAQ said that the terms are too broad. In its view, the SEC should qualify such information using common, risk-based terms like confidential, non-public, or personally identifiable.
Without clarity, “this could have an adverse effect on assessments of materiality, incident disclosures, and other periodic disclosures prepared by registrants,” the CAQ wrote.
Other Rulemaking Items for Consideration
During the July 26 open meeting, the SEC will consider two additional rulemaking items.
One is about conflicts of interest associated with the use of predictive data analytics by broker-dealers and investment advisers.
“The Commission will consider whether to propose new and amended rules under the Securities Exchange Act of 1934 and the Investment Advisers Act of 1940 relating to conflicts of interest associated with broker-dealers’ and investment advisers’ use of predictive data analytics in connection with certain investor interactions,” the SEC stated in its meeting notice.
The other one is about exemption for certain investment advisers that operate through the internet.
“The Commission will consider whether to propose amendments to the exemption for internet advisers from the prohibition against registration under the Investment Advisers Act of 1940,” the SEC stated.
The agency did not give more details.
This article originally appeared in the July 21, 2023 edition of Accounting & Compliance Alert, available on Checkpoint.
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.
