After a year of headline-grabbing ransomware attacks on U.S. critical infrastructure, Americans have grown impatient with the lack of transparency from corporations.
“Investors want to know more,” Securities and Exchange Commission Chair Gary Gensler said March 9, noting intensified efforts by companies to manage their “growing” cybersecurity risk.
Recognizing these trends, the SEC issued a proposed rule March 9 that would impose four requirements on publicly traded companies aimed at increasing the transparency of their cybersecurity governance. These requirements—now subject to a 60-day public comment period—would obligate companies to provide a holistic assessment of the cybersecurity risks they face. The measures are clearly designed to mitigate the systemic risk created by a lack of sufficient corporate cyber-hygiene.
The first requirement would obligate companies to report to the SEC “a material cybersecurity incident” within four business days. The requirement effectively revises the SEC’s 2018 cyber-disclosure guidance by specifying a clear timeline for companies to notify the SEC of incidents. According to the SEC, this requirement is necessary because public companies are not reporting 90% of known cyber incidents for fear of rattling investor confidence, among other reasons.
The second requirement would build on the first one by obligating companies to detail in their quarterly and annual reports to the SEC all previously disclosed cybersecurity incidents, as well as previously undisclosed incidents that have had a significant impact on the company’s performance and security.
The third requirement would mandate that companies disclose to the SEC what policies and procedures they have in place to manage cyber risks in public filings. Much like the 2002 Sarbanes-Oxley Act which was designed to encourage corporations to increase the information available to investors by overhauling accounting and disclosure standards, the proposed SEC requirement aims to create incentives for companies to implement policies that help prevent cyber threats.
The fourth requirement obligates companies to report the cybersecurity expertise of board members and C-suite executives to the SEC. In so doing, the requirement is likely to create public and investor pressure on companies to include individuals with more formidable cybersecurity expertise within their leadership.
Without these four requirements, the information gap between companies and the public will almost certainly persist. The lack of disclosure is not only preventing investors from assessing the risks associated with their portfolios, but it is also leading cyber-insurance providers to develop inaccurate risk models.
Thus, until recently, insurance providers have been accepting much higher risks than they can afford. As they begin to grapple with this problem, the providers are cutting coverage and increasing premiums, leaving companies with fewer options to offset risks.
In March 2020, the congressionally mandated Cyberspace Solarium Commission issued a comprehensive report on how to strengthen national cyber resilience.
Among its more than 80 recommendations to Congress, the commission argued for increased cybersecurity accountability among publicly traded companies. The commission also recognized the insurance industry’s need for comprehensive cybersecurity incident data that would enable it to develop more accurate risk models. With one proposal, the SEC is beginning to address both problems.
How the SEC Could Improve on Its Proposal
One way the SEC could improve upon the proposal following the 60-day public comment period would be to expand the required metrics that companies provide to assess cyber risk.
“What really needs to happen is for public companies to disclose how they have determined the likely and potential financial impact of cyber risks and attacks and how effectively they are mitigating and transferring risk.” Chris Hetner, a former senior cybersecurity adviser to multiple SEC chairs and now a cyber-risk adviser to the National Association of Corporate Directors, told the Foundation for Defense of Democracies.
The SEC’s proposed rule can do just that. It provides clear guidance on cybersecurity disclosures and governance, motivating companies to better protect their networks, maintain cybersecurity records, and assess risks.
Simply put, standardizing cyber-incident reports, making them publicly accessible, and increasing corporate governance transparency can strengthen the resilience of American companies. This will benefit investors, everyday Americans, and the national security practitioners who defend America’s cyberspace every day.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Jiwon Ma is a program analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where she contributes to the CSC 2.0 project, which works to implement the recommendations of the congressionally mandated Cyberspace Solarium Commission.
Rear Adm. (Ret.) Mark Montgomery is CCTI’s senior director and an FDD senior fellow. He directs CSC 2.0 and previously served as executive director of the first CSC. Follow him on Twitter @MarkCMontgomery.
FDD is a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy.