The SEC wants better corporate disclosures about hacks
Letting customers know about cyber attacks may no longer be based on the judgement of corporate lawyers.
The U.S. Securities and Exchange Commission (SEC) has proposed new cybersecurity risk management rules for corporations that would require them to be more transparent with customer disclosures.
The new rules would be implemented as amendments to various forms regarding cybersecurity disclosures and would specifically target investment advisers, investment funds, and business development companies.
No more hiding cybersecurity hacks
Introducing stricter regulation regarding cybersecurity disclosures isn’t a new effort from the SEC. In 2018, former SEC Commissioner Robert J. Jackson Jr. said that current disclosure requirements “erred on the side of nondisclosure” and often left investors in the dark when companies experienced hacks or other cybersecurity attacks.
Currently, company management is only required to keep boards informed about cybersecurity issues, with no obligation to share them with investors or other customers. However, a joint 2021 report showed that in 2020, only 17% of Fortune 100 companies surveyed reported cybersecurity issues to board members annually or quarterly.
The SEC seems eager to change this as it spent the better part of 2022 introducing various proposals that — if passed — would require public companies to report on cyber attacks and incidents.
This is the case with the Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies proposal, published on February 9.
In the document, the SEC proposes introducing new rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 to require funds and advisers to implement new cybersecurity policies. According to the document, these policies and procedures are specifically designed to address cybersecurity risks by requiring companies to report significant cybersecurity incidents affecting the adviser, its fund, or private fund clients to the SEC.
“We believe requiring advisers and funds to report the occurrence of significant cybersecurity incidents would bolster the efficiency and effectiveness of our efforts to protect investors, other market participants, and the financial markets in connection with cybersecurity incidents,” the SEC said in the proposal.
Jamil Farshchi, the chief information security officer at Equifax, told Bloomberg News that the proposed rules would bring much-needed transparency to corporate leadership and require unprecedented accountability when it comes to cybersecurity.
More rules equal a stronger SEC
Many believe that the SEC’s recent push to play a more active role in strengthening rules regarding cybersecurity is a direct result of the SolarWinds hack. The infamous event is widely considered among the worst cyber-espionage incidents suffered by the U.S., as the country saw many parts of its federal government targeted by a group of Russia-backed hackers.
The attackers infected updates from a U.S. federal contractor, using that as a jumping board to intrude various government agencies and companies. Following the hack, the SEC sent letters to companies it believed were at risk from the hacks, requiring them to self-report if they had been hacked and the damage the hacks inflicted.
As the Commission received an underwhelming number of disclosures, it started the Amnesty Program—offering forgiveness to companies that eventually complied with the self-report request, even if they hadn’t previously disclosed the incident to investors.
At the time, the National Association of Corporate Directors, the Cyber Threat Alliance, and SecurityScorecard all called the program “noteworthy,” as it signaled the SEC’s evolving view on cyber risk. Sachin Bansal, chief business and legal officer of SecurityScorecard, called it a “watershed” moment for the SEC.
But, despite this, the SEC’s new proposal leaves many stones unturned.
The new rules will require companies to disclose “material” or “significant” cyber incidents if implemented. The SEC regards “material” information as any information with a “substantial likelihood that a reasonable shareholder would consider it important.”
Many find the SEC’s definitions too vague to bring any meaningful transparency to the market. The vagueness also means that the rules would be subject to interpretations by the SEC on a case-by-case basis, leaving room for companies to appeal to rulings and set precedents that could render the proposal essentially worthless.
However, there is still room to improve. The SEC isn’t set to vote on the proposal for another few weeks, leaving plenty of room for industry participants to share their concerns and suggestions with the Commission.
It is unclear how this affects the crypto industry — with more and more investment funds including various digital assets and crypto derivatives in their portfolios. However, the proposed rules could result in many disclosures coming from the crypto space.