By Nathalie Voit
The Securities and Exchange Commission (SEC) voted on March 9 to propose new cybersecurity regulations for public companies in a bid to limit investors’ risk, according to a press release issued on Wednesday by the agency.
Mandatory cybersecurity incident reporting and required disclosures on company policies to manage cybersecurity threats are among the new amendments proposed in the 129-page release. The suggested measures will be open for public comment for 60 days from when they are published on the SEC’s website or for 30 days from when they are listed in the Federal Register, whichever is longer, the SEC said.
“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk,” SEC Chair Gary Gensler said in a statement. “Investors want to know more about how issuers are managing those growing risks.”
“I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting,” he added.
The proposed measures build on a broader effort by the agency to enhance and standardize cybersecurity disclosure. Although the SEC had proposed new rules related to cybersecurity risk for registered investment advisers and funds on Feb. 9, Wednesday’s vote took on ‘special relevance’ amid the growing cyber threat from Russia, which can no longer be ignored, according to an SEC spokesperson.
SEC Commissioner Caroline Crenshaw similarly warned in her statement that the sophistication and frequency of cyberattacks against market participants had accelerated as of late, “and that increase has imposed corresponding economic harms and increased expenses on companies and their investors.” Crenshaw said that cybersecurity is now considered the number one challenge to future business growth by chief executive officers.
The sole dissenting opinion came from Commissioner Hester Peirce, who wrote that “the governance disclosure requirements embody an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies.”
“The tension between ensuring that investors get material cybersecurity incident information and protecting the ability of law enforcement to pursue wrongdoers is difficult to resolve appropriately, and I look forward to hearing how commenters would resolve it,” she added.