Companies Fear SEC’s Cybersecurity Disclosure Rules Could Play into the Hands of Criminals

The Securities and Exchange Commission’s (SEC’s) proposed cybersecurity disclosure rules, which would allow investors for the first time to make apples-to-apples comparisons of companies’ cyberattack vulnerabilities and defenses, might actually have the unintended consequence of giving bad actors artillery to do more harm.

That was among the common themes in letters that companies, trade groups, and other interested parties submitted to the SEC in response to the March rollout of the proposed rules. Many of the more than 140 letters expressed concern about the rules’ requirement that companies disclose material cybersecurity incidents within four days.

That’s too tight a window, commenters argued. In some cases, four days does not give companies enough time to fully get their arms around the extent of the attack, and they may not have yet succeeded in cutting off criminals’ access to their systems.

“The disclosure of a ‘material cybersecurity incident’ before the threat actor has been fully neutralized can create additional vulnerabilities and legal risks for a company,” Cindy Chetti of the National Multifamily Housing Counsel and Gregory Brown of the National Apartment Association wrote in a joint letter.

The proposed rules also mandate that companies disclose their cybersecurity risk-assessment strategy, disclose the cybersecurity expertise of management and board members, and provide updates on previously disclosed cybersecurity events. Some commenters worried that the descriptions, if too detailed, could serve as a roadmap for cybercriminals.

But the overarching goal the SEC is trying to accomplish is a good one, John Zecca, the chief legal and regulatory officer of Nasdaq, said in his letter, echoing many others. “Nasdaq believes that investors, issuers, and other market participants will benefit from healthy capital markets that promote trust and transparency,” he said.

Nonetheless, he said, Nasdaq has gathered feedback from many of the companies it lists, and they have myriad concerns, not just related to the four-day reporting window. For instance, complying with the rules could be burdensome for smaller companies. He said those organizations may need extra time to comply, in part because they might not have cybersecurity expertise on staff.

And if what the SEC mandates is too intricate, it could discourage companies from going public, he said. “The commission should balance the information necessary to ensure investors are kept informed against any burdens placed on public companies based on their size,” Zecca wrote. “Without a proper balance, additional burdens may have the unintended impact of making public capital markets a less-attractive alternative for companies that consider offering their securities to the public.”

Asked for a reaction to the comments in the letters, an SEC spokesman declined to comment. The SEC has closed its comment window. Its next step will be amend the rules or proceed to a final vote.

The proposed rules did not have unanimous support on the commission, which has five members. SEC Commissioner Hester Peirce dissented on the proposal in March, saying it goes too far. She said it “flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us.”

She questioned whether “securities regulators are … best suited to design cybersecurity programs to be effective for all companies, in all industries, across time.”

From: Corporate Counsel