It’s no secret that rule amendments to enhance cybersecurity disclosure are on the SEC’s agenda, but in a speech yesterday at Northwestern Law School’s annual Securities Regulation Institute, SEC Chair Gary Gensler provided a little more color as to what public companies might expect to see in a rule proposal. Here’s an excerpt:
Disclosure regimes evolve over the decades. Cybersecurity is an emerging risk with which public issuers increasingly must contend. Thus, I’ve asked staff to make recommendations for the Commission’s consideration around companies’ cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.
A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.
In addition, I’ve asked staff to make recommendations around whether and how to update companies’ disclosures to investors when cyber events have occurred.
Make no mistake: Public companies already have certain obligations when it comes to cybersecurity disclosures. If customer data is stolen, if a company paid ransomware, that may be material to investors. As recent cases show, failure to make accurate disclosures of cybersecurity incidents and risks can result in enforcement actions.
Chair Gensler’s speech also addressed cybersecurity regulatory initiatives addressing broker-dealers, investment advisors, mutual funds and other participants in the financial sector — as well as service providers to those businesses.
-John Jenkins, TheCorporateCounsel.net January 25, 2022