The Securities and Exchange Commission (SEC) on July 26 finally turned the controversial Proposed Rule for Public Companies (PRPC) into an actual rule.
Set to go into effect mid-December, the new requirement calls for public companies to promptly report "material" cybersecurity incidents and report annually on cybersecurity risk management and governance. On the surface, the rule makes perfect sense, but only when considering the intended beneficiaries: investors.
Let’s clarify what these rules entail. Under the new mandates, organizations are required to do the following:
- Report “material” cybersecurity incidents on a Form 8-K within four business days of determining they are material.
- Describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the company.
- Disclose their plans and procedures for achieving compliance.
The questions and concerns on most CISOs minds are around the effectiveness of these new requirements, and whether they will ultimately do more harm than good.
Time will tell whether it’s an effective rule
Many articles and comments I’ve read recently about the new SEC rules on cybersecurity incident reporting are filled with hand wringing over the potential negative impacts on over-stressed management teams and tactical challenges for CISOs and cybersecurity teams. I have heard security leaders say:
- “How can we possibly assess and report on an incident in four days?”
- “This will help other bad actors attack us when we are at our most vulnerable!”
- “What if we report early and it ends up being a false alarm?”
- “What if we thought it was “no big deal” and then we learned it was serious and now we missed our reporting deadline? Will we face accusations of being negligent for not immediately getting it right every time?”
- “Ugh, the sky is falling! How could the SEC turn a deaf ear to the pain and suffering of our management team!”
All these concerns are completely fair and reasonable when taking the point of view of the company. However, the new SEC rules make much more sense and are far less troubling if one accepts that the SEC doesn’t really care about the companies, they care about the investors.
Consider this quote from SEC Chair Gary Gensler: “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
First, the phrase “helping to ensure” sounds much softer and gentler than “requiring.” But setting that aside, the rules are intended to protect and benefit investors. I’d argue that the rules actually won’t help companies, except to the extent that one subscribes to the notion that “compliance requirements drive real security outcomes.”
In other words, by adding additional risk to company management teams that fail to disclose material incidents in a timely manner, this will force these companies to invest in better cybersecurity and incident management functions. In that case, there’s little question the new rules will benefit companies.
But the true beneficiaries are the investors. To investors, companies are simply assets which perform well or poorly. Investors care about the financial performance of their assets. They don’t care at all about how stressed out company managers are or how difficult their tactical incident reporting decisions are.
These new rules were not suddenly hatched this summer. The SEC has worked on them over an extended time period, and companies have given considerable input along the way. By allowing companies just four days to report material incidents, the SEC will try to level the playing field for investors and reduce the risk that insider trading could negatively affect investor portfolios.
Similarly, the requirement for companies to more thoroughly report on their cybersecurity strategy and governance also offers the public with better insight into the potential risks to their investments.
Understanding the incident disclosure rules
Do the incident disclosure rules make sense? For investors, yes, they undoubtedly do. Will the vague definition of “materiality” cause confusion and require ironing out over time? It certainly might, although whether an incident will have such a negative impact that it ultimately could affect the stock price isn’t a difficult concept to understand. On the other hand, “materiality” will inherently mean different things to different businesses.
Will the rule improve or impede communication between management and their boards? That remains to be seen. The SEC has certainly amped-up the pressure on both boards and management to promptly and thoroughly assess incidents, and publicly disclose the potentially consequential ones.
The real question: Do these rules meet the intended objective of forcing companies to stay more transparent about their cybersecurity governance and incidents in a more timely manner? By that criteria, I think they will succeed.
Matt Cooper, senior manager, privacy, risk, and compliance, Vanta