ThinkTWENTY20

In a public statement dated March 9, 2022, SEC chair Gary Gensler said that the Commission is considering a proposal to mandate cybersecurity disclosures by public companies. “I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”

Over the years, Gensler said, “our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.”

Cybersecurity incidents, unfortunately, happen a lot. As Gensler points out, “they can have significant financial, operational, legal, and reputational impacts on public issuers. Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.”
While a lot of issuers already provide cybersecurity disclosure to investors, Gensler thinks that companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.

If the proposal becomes rule, he believes it would enhance issuers’ cybersecurity disclosures in two key ways:

First, it would require mandatory, ongoing disclosures on companies’ governance, risk management, and strategy with respect to cybersecurity risks. “This would allow investors to assess these risks more effectively.” For example, under the proposed rules, companies would disclose information such as:
• management’s and the board’s role and oversight of cybersecurity risks;
• whether companies have cybersecurity policies and procedures; and
• how cybersecurity risks and incidents are likely to have an impact on the company’s financials.

Second, it would require mandatory, material cybersecurity incident reporting. “This is critical because such material cybersecurity incidents could affect investors’ decision making.”
When companies have an obligation to disclose material information to investors, they must be complete and accurate, Gensler states. “Their disclosures also should be timely. Today’s proposal would specify when and what information about cybersecurity incidents companies must disclose in a current report, such as on Form 8-K. It also would require updates in periodic reports to give investors more complete information on previously disclosed, material cybersecurity incidents.”

For more details, go to SEC.gov | Statement on Proposal for Mandatory Cybersecurity Disclosures.