Public Companies Push Back on Proposed Rules for Cyber Disclosure

On March 9, the Commission released a rule proposal that would change the approach of cybersecurity reporting for issuers. While some companies voiced broad support for an SEC reporting regime, others pushed back noting public disclosures could result in additional compliance costs, confusion while responding to breaches in real-time, and volatility in stock pricing. According to a Wall Street Journal article many commenters “want the SEC to coordinate its approach with a new law requiring critical-infrastructure operators to confidentially report incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours.” The Commission’s proposal would require listed firms to file public reports as a means to provide more information on threats and vulnerabilities to investors. Commenters warned of additional risks with the proposal as is, including the notion that public reports could provide hackers information while attacks are in progress and the aggregation of company data on incidents once their collective impact is deemed material does not show initiatives the companies is taking to thwart attacks. In February, the Commission proposed regulations that would require investment funds and advisers to report incidents within 48 hours. The Mutual Fund Directors Forum submitted comments in response to the Commission’s proposal noting the Forum’s disagreement with a 48-hour reporting window, support for fund cybersecurity plans, and the role of independent directors in cybersecurity risk management.