WASHINGTON (Reuters) -Wall Street’s watchdog voted to unveil a rule on Wednesday that aims to enhance how public companies disclose when they experience a breach, and how soon.
Under the proposed Securities and Exchange Commission (SEC) measures, a company would have to spell out when it experiences a risk and what strategies it has employed to address and manage such risks in current report filings, including Form 8-K.
The rule changes, which are subject to public consultation, would also require an analysis of how the cyber risks are likely to affect the company’s financials. This would allow investors to assess these risks more effectively, and to locate them more readily, the SEC said.
The 3-1 vote by the commission to issue changes comes at a time of growing regulatory concern about how cyber security issues could affect markets and investors. Regulators have warned, for example, of cyber attacks from Russia in retaliation for Western sanctions.
President Joe Biden’s administration has also ratcheted up its focus on the issue after a recent series of high-profile cyber attacks on U.S.-based companies.
“The interconnectedness of our networks, the use of predictive data analytics and the insatiable desire for data are only accelerating, putting our financial accounts, investments, private information at risk,” SEC Chair Gary Gensler said on Wednesday.
“They’re like honeypots sitting inside of companies and investors want to know more about how issuers are managing those growing risks.”
Wednesday’s measure would also require updates in periodic reports to give investors more complete information on previously disclosed, material cybersecurity incidents, the agency said.
The proposals would build on existing SEC cyber risk guidance, which is set to remain in effect, even under the SEC’s new rules, an agency official told reporters.
“How a company might think about the impact (of a breach) to management’s discussion and analysis of financial conditions … should still be taken into consideration,” the official added.
The SEC has long warned companies that materiality of a cyber breach should not be limited to the quantitative impact on revenue or assets, but should consider qualitative factors that a reasonable investor would consider in making decisions.
Republican Commissioner Hester Peirce, who dissented on the proposal, said the move goes beyond the agency’s mission.
“This proposal flirts with casting us as the nation’s Cybersecurity Command Center — a role Congress didn’t give us,” she said.
Tom Quaadman of the U.S. Chamber of Commerce said he welcomes attention to the matter of cybersecurity risk management, but urged that the SEC liaise with other federal cyber experts to help “ensure policies are supportive, not duplicative.”
“The SEC, as a disclosure agency, should be mindful to not get in the way of national security priorities and focus on robust coordination.”
(Reporting by Katanga Johnson in WashingtonEditing by Michelle Price, Chizu Nomiyama, Jonathan Oatis and Diane Craft)
