SEC Proposes Cybersecurity Disclosure Framework for Public Companies

The SEC announced a proposal that Chairman Gary Gensler says will enhance issuers’ cybersecurity disclosures by requiring mandatory, ongoing disclosureson governance, risk management, and strategy with respect to cybersecurity risks and mandatory, material cybersecurity incident reporting. According to Gensler, the proposal “would specify when and what information about cybersecurity incidents companies must disclose in a current report, such as on Form 8-K. It also would require updates in periodic reports to give investors more complete information on previously disclosed, material cybersecurity incidents.” The SEC also recently proposed expanding Regulation Systems Compliance and Integrity (SCI) to certain government securities trading platforms and new obligations for registered investment advisers and funds with respect to cybersecurity. At a recent fund industry conference SEC Commissioner Caroline Crenshaw remarked that the SEC’s goal is “not to be adversarial with any registrant,” in responding to concerns on proposed cybersecurity regulation. Crenshaw explained, as reported by Think Advisor, that the firms that “follow best practices, provide timely disclosure, cooperate with law enforcement as necessary,” are the ones unlikely to draw enforcement action really because they are a victim of a cyberattack. Crenshaw emphasized the importance of the regulation and remarked that cybersecurity is something that keeps her up at night. The Investment Adviser Association conference, which brings together registered investment advisers and compliance professionals, focused on cybersecurity and other rule proposals aimed at registered investment advisers. The IAA, Securities Industry and Financial Markets Association, Managed Funds Association and several other trade groups also submitted a letter to the SEC asking that the agency extend the 30-day comment period for proposals affecting private funds.