Back to General Resources

SEC Open Meeting

Securities and Exchange Commission

Open Meeting

Wednesday, March 9, 2022

Topline

  • The Commission voted 3-1, with Commissioner Hester Peirce voting against, to propose amendments regarding cybersecurity risk management, strategy, governance, and incident disclosure.
  • The proposal requires (1) current reporting about material cybersecurity incidents on Form 8-K and (2) periodic disclosures regarding registrant’s policies and procedures to identify and manage cybersecurity risk; management’s role in implementing cybersecurity policies and procedures; board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and updates about previously reported material cybersecurity incidents.
  • The comment period is 30 days after publication in the Federal Register or May 9 (which is 60 days after issuance), whichever is later.

ITEM 1: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

The Commission voted 3-1, with Commissioner Hester Peirce voting against, to propose amendments regarding cybersecurity risk management, strategy, governance, and incident disclosure. The comment period will be 30 days after publication in the Federal Register or May 9, whichever is later.

Staff Discussion

Renee Jones laid out the proposal and discussed the risk of cyber incidents. She said that as risk has increased, current reporting is inconsistent, untimely, and difficult to find, adding that investors would benefit from enhanced disclosure under the proposal. She then said the proposed amendments would require current reporting of cybersecurity incidents and periodic disclosure of firms’ cybersecurity policies and procedures to identify and manage cybersecurity risk. She concluded that these amendments would improve the usefulness, comparativeness, and timeliness of disclosures.

Ian Greber-Raines discussed the requirements in greater detail and the two main components of the proposal: cybersecurity incident disclosure and cyber security risk management, strategy, and cyber security governance disclosure. He then described the amendment to Form 8k to require disclosure after four business days after a registrant determines it has experienced a material cybersecurity incident. He also discussed the requirement for registrants to provide updated disclosures relating to previously disclosed cyber security incidents in their periodic reports and the addition of cybersecurity as a reporting topic. He stated that the report must include when the incident was discovered, whether the incident is ongoing, a brief description of the nature and scope of the incident, whether any data was stolen, altered, assessed, or used for any other unauthorized purpose, and whether the registrant is currently or has already remedied the incident. Greber-Raines said the new proposed amendments would also require disclosure in an annual report regarding a registrant’s policies and procedures on how they identify cybersecurity risk, how the risk affects the registrant’s business strategy, management’s role in identifying and assessing cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, and the registrant’s board of directors’ oversight of cyber security risks. He added that registrants must disclose their board’s cyber security expertise in annual reports to investors.

Jessica Wachter outlined the proposed amendments and said that such standardization makes disclosures decision-useful and comparable across companies. She also said that cyber threats have increased and can impact a firm’s financial operations and that companies currently may disclose too little too late. She then discussed information asymmetry, adding that improved disclosure decreases uncertainty. She concluded that the disclosure could be used by bad actors against companies but that disclosure by one company can be used by other companies to improve their own cybersecurity.

Commissioner Discussion

Commissioner Hester Peirce said the proposals laid out by the SEC cast the Commission as the nation’s cyber security command center, which is not a role Congress gave it. She went on to say the Commission regulates a companies’ disclosures, not a companies’ activities, adding that the Commission does not have the same authority over public companies as it does investment advisors, broker-dealers, or other registered entities. She characterized the proposal as an unprecedented micromanagement by the Commission that will exacerbate the already intense demand for cyber security experts on a company’s board. She also said that the Commission does not have the necessary expertise to play a role when working with companies on cybersecurity and that the substance of how a company manages its cyber security risks is best left up to the company to decide. Peirce expressed concern with the Commission being unduly dismissive of its partners across the federal government and law enforcement agencies in general.

Commissioner Allison Herren Lee discussed the increased risk of cyberattacks and the proposed amendment to update disclosure for public companies, describing the proposal’s Form 8k disclosure within four days after determining the materiality of a cyber incident and the disclosure of policies and procedures and governance-related disclosure of how cyber risks are managed.

Commissioner Caroline Crenshaw explained the increased risk of cyber-attacks and steps taken by the Commission to address cyber security in the past, adding that despite the prior action taken regarding cyber security disclosure, the disclosures have been inconsistent in level of detail, time of disclosure, and placement. She also said that the who, what, when, and where are often inconsistent and unreliable and that the Commission’s proposal is an important step forward to address the growing risks of cybersecurity.

Commission Chair Gary Gensler said, if adopted, the proposal would strengthen investors’ ability to evaluate the companies they own and the companies they might consider for investment. He then discussed how over the years, our disclosure regime has evolved to consider new risks, including cyber security, with which investors must contend, adding that investors want to know more about how issuers are managing cyber risk, which has financial, legal, and reputational impacts on issuers. He highlighted the proposal’s requirement for mandatory, ongoing disclosures of companies’ governance, risk management, and cybersecurity risk strategy, which would allow investors to assess risks more effectively by requiring disclosure of board management’s role in risk management, their policies and procedures for cybersecurity, and whether those risks are likely to affect a company’s financials. He also highlighted the requirement for material cyber incident reporting, which must be complete, accurate, and timely and requires updates and periodic reports, giving investors more complete information on previously disclosed material incidents.

For more information on this hearing, please click here.

For an archive of past SIFMA hearing coverage, please click here.