SEC to Propose Cybersecurity Risk Governance Disclosures—Commissioner Roisman Shares His Views

SEC Commission Elad Roisman recently spoke about cybersecurity threats and challenges facing the agency’s registrants, including public companies and financial institutions.  One source of challenges (our words, not Roisman’s) may come from the government itself—the combination of (1) the lack of clarity on requirements and expectations from the SEC in certain areas, and (2) the myriad and patchwork set of rules and agencies that govern and oversee, respectively, the cyber programs of financial services firms, public companies, and other SEC registrants.

For the time being, the SEC’s attention and prospective rulemaking seem focused on public companies, which are subject to various reporting obligations, including under Exchange Act Rule 13a-15(a).  The rule requires most issuers of a security registered pursuant to Section 12 of the Exchange Act to maintain disclosure controls and procedures designed to ensure that information required to be disclosed in reports the issuer files or submits under the Exchange Act is recorded, processed, summarized, and reported timely (e.g., 8-K filings withing four business days of the occurrence of a reportable event).  In early 2018, the SEC issued a statement and guidance on public company cybersecurity disclosures.  That guidance notes the following (which the SEC has similarly highlighted in recent enforcement actions):

“Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.  In addition, the Commission believes that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”

As Roisman noted in his speech, the SEC has also focused on public companies’ internal controls over financial reporting.  In 2018, shortly after the SEC issued the guidance reference above, it issued a Section 21(a) report regarding cyber-related frauds perpetrated against nine public companies, citing the importance of devising and maintaining a system of internal accounting controls for cyber-related issues.

Roisman believes “there is more that the Commission should contemplate in terms of cyber guidance and/or rules to ensure that companies understand [the SEC’s] expectations and investors get the benefit of increased disclosure and protections by companies.”  Based on the agency’s “Reg. Flex” agenda (which is set by Chairman Gensler), it seems like Roisman will get his way (at least in part).  In particular, the Division of Corporation Finance is considering recommending that the SEC propose rule amendments to enhance issuer disclosures regarding cybersecurity risk governance.  It’s not entirely clear what this will embody.  But Chairman Gensler has indicated multiple times, including during recent testimony to Congress, that this rulemaking “could address issues such as cyber hygiene and incident reporting” for issuers and funds.”  This is not SEC leadership’s first mention of “cyber hygiene,” which generally refers to best practices/habits/mindset related to cybersecurity.  In a November 2020 interview with CNBC, then-SEC Chairman Jay Clayton made a similar reference.

Commissioner Roisman also suggested that “there should be some framework for reporting cyber-incidents to clients and to the Commission.”  Roisman cited precedent at FINRA as a possible model, including FINRA rules related to supervision, business continuity planning, and self-reporting of events.

Interestingly, prospective rulemaking could be an area of common ground for the Chairman and the other Commissioners, given the seemingly unified views that more is needed in this area.  We’ll keep an eye out for updates on this front.