Senators Want More Out of SEC’s Proposed Rules on Cybersecurity

A bipartisan group of senators sent a letter to the Securities and Exchange Commission (SEC) earlier this month, urging it to require publicly traded companies to disclose information about cybersecurity incidents and policies. A day later, the SEC approved proposed rules that align with the letter’s recommendations but apply only to investment companies and advisers — a more limited approach that is unlikely to ensure accountability for cybersecurity preparedness across the entire private sector.

The SEC’s proposed rules would require registered investment advisers and investment-related companies to develop and implement written cybersecurity policies, to report significant cyber incidents privately to the SEC, and to publicly disclose cybersecurity risks and incidents in company documents.

The SEC noted that it is taking these steps because despite its warnings to investment firms, “certain advisers and funds show a lack of cybersecurity preparedness, which puts clients and investors at risk.” Additionally, while some advisers and firms disclose cybersecurity risk information to their clients, the SEC is concerned that this information may be insufficient for individuals to make “informed investment decisions.”

The SEC says it aims to “to enhance cybersecurity preparedness and improve the resilience of investment advisers and investment companies.” The Senate letter, however, proposes a more robust approach focusing on all publicly traded companies. “Investors deserve a clear understanding of whether companies and investment managers are prioritizing cybersecurity,” the senators argue. “They also have a right to prompt notification of serious cybersecurity incidents.”

The letter also urges the SEC to consider requirements like those outlined in pending legislation sponsored by the signatories to require companies to disclose if they have a cybersecurity expert on their board of advisers. The rationale for this disclosure is to bolster investor confidence that firms are developing a culture of accountability for cybersecurity. Oversight of cybersecurity risk by the board of directors would demonstrate this culture.

The most effective way to increase cybersecurity accountability in the private sector, as originally proposed by the congressionally mandated Cyberspace Solarium Commission, would be to follow the approach of the Sarbanes-Oxley (SOX) Act of 2002. Passed in the wake of the Enron scandal, the law aims to protect investors from inaccurate financial reporting by requiring companies to accurately represent their business operations through financial reporting validated by third-party audits.

Yet incomplete or inaccurate cybersecurity information inflicts the same harm on investors as inaccurate financial reporting did 20 years ago. Thus, Washington should now require all publicly traded companies to also disclose cybersecurity risks and incidents, and should hold corporate boards accountable for this information, as they are for financial disclosures.

In particular, the House and Senate should add a cybersecurity reporting requirement to SOX through a congressional amendment. Alternatively, the SEC should promulgate new rules to account for cyber risks as part of companies’ financial reporting assessments pursuant to section 404 of SOX. In so doing, Washington would provide investors with a clear understanding of which companies are prioritizing cybersecurity.

As companies across private industry find themselves in the crosshairs of cyberattacks from both nation-states and criminals, they must not ignore cybersecurity as a key component of their corporate responsibility.

Mark Montgomery serves as senior director of FDD’s Center on Cyber and Technology Innovation (CCTI) and as senior adviser to the chairmen of the Cyberspace Solarium Commission. Trevor Logan is a cyber research analyst at CCTI. For more analysis from the authors and CCTI, please subscribe HERE. Follow Mark and Trevor on Twitter @MarkCMontgomery and @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.