SEC Delays Finalizing Cybersecurity Disclosure Rules Until October 2023
Key Highlights :
The U.S. Securities and Exchange Commission (SEC) recently announced a delay in finalizing proposed cybersecurity rules. The two different sets of rules, one for public companies and regulated entities and another for investment advisers, registered investment companies, and business development companies, are expected to be delayed until at least October 2023. The delay has raised questions about the timeline and potential factors influencing the extended process. Despite an initial target of finalizing the rules by April 2023, the SEC has postponed the timeline.
The proposed cybersecurity disclosure rules aim to enhance transparency and accountability in public companies' handling of cybersecurity incidents. SEC Chair Gary Gensler was quoted stating that, "cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.”
The rules largely focus on enhancing cybersecurity requirements for public companies, including a four-day disclosure timeframe for “material” cybersecurity incidents, requirements around Board governance of cybersecurity, increased disclosures on Board cybersecurity expertise, enhanced disclosures on risk management, oversight, and cybersecurity, and aggregation requirements for incidents that are non-material individually. In addition to the cybersecurity disclosure rules for public companies, the SEC has also proposed rules for cybersecurity risk management in the investment industry. Investment advisers, registered investment companies, and business development companies would need to adopt and implement written cybersecurity policies and procedures.
Concerns have been raised regarding the potential compromise of law enforcement investigations due to the required reporting timeframe. The postponement of the SEC's cybersecurity rules signifies the complexity of addressing cybersecurity challenges and balancing reporting requirements with potential law enforcement implications. Stakeholders in public companies and regulated entities must remain proactive, maintaining strong cybersecurity practices, and closely monitoring updates from the SEC.
The SEC needs to address concerns raised by the FBI and other stakeholders, ensuring that the finalized rules provide clear and practical guidance for effective cybersecurity risk management. It’s been stated that the FBI has concerns about the 4-day disclosure rule. As it stands, companies would be compelled to disclose incidents even if there is an active case open by law enforcement. Concerns raised by the FBI regarding the potential compromise of law enforcement investigations in the proposed rules need to be addressed. The SEC should consider these concerns while finalizing the rules to strike a balance between reporting requirements and the integrity of ongoing investigations.
By providing clear frameworks, the SEC can empower stakeholders to develop comprehensive cybersecurity strategies while aligning with industry best practices. By requiring investors and key financial stakeholders to take privacy and security more seriously, it’s likely we will see significant changes industry-wide. Enhanced disclosure and responsibility are key components of the proposed rules, and by fostering collaboration and implementing comprehensive guidelines, the SEC can enhance the resilience of organizations against evolving cyber threats.
The delay in finalizing the SEC's cybersecurity rules has raised many questions, and stakeholders in public companies and regulated entities must remain proactive, closely monitoring updates from the SEC. By addressing concerns raised by the FBI and other stakeholders, the SEC can ensure that the finalized rules provide clear and practical guidance for effective cybersecurity risk management while striking a balance between reporting requirements and the integrity of ongoing investigations.
