SEC pushes for tougher cybersecurity disclosure rules

By Jim Tyson for CFODive.com

• The Securities and Exchange Commission (SEC) Wednesday proposed tougher, more detailed rules for cybersecurity disclosure, including deeper company reports on cyberattacks and regular filings on cyber risk management, governance and strategy. Companies would need to report breaches within four days.

• “Consistent, comparable and decision-useful” disclosure standards “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting,” SEC Chair Gary Gensler said before the commission approved the proposal in a 3-1 vote. The rules are subject to a 60-day period for public comment.

• “The interconnectedness of our networks, the use of predictive data analytics and the insatiable desire for data are only accelerating, putting our financial accounts, investments and private information at risk,” Gensler said. “Investors want to know more about how issuers are managing those growing risks.”

CFOs face a growing risk of operational turmoil and high costs from ransomware attacks and extortion bids, which surged 107% last year compared with 2020, according to Accenture.

Ransomware attacks at many companies have exploded CFO assumptions underlying budgeting and risk management. Total ransomware payments doubled in 2021 compared with 2020, according to estimates cited by Moody’s Investors Service.

U.S. banks during the first half of last year flagged to the federal government $600 million in ransom. JBS, a meat producer, paid attackers $11 million last year while CNA Financial, a global insurance company, reportedly paid $44 million.

Colonial Pipeline, the largest fuel supplier to the eastern U.S., handed over to attackers $4.4 million to resume operations after a shutdown that led to a six-day fuel shortage. Federal authorities later recovered $2.3 million.

The Biden administration has sought to strengthen cybersecurity in both the public and private sectors, instituting a “zero trust” approach in the federal government and partnering with private electric, natural gas and water companies to improve threat detection.

President Joe Biden warned soon after Russia invaded Ukraine on Feb. 24 that the U.S. is ready to respond to cyberattacks against companies or critical infrastructure. Ukraine has faced several attacks through wiper malware, phishing and denial-of-service strikes.

Under the rules proposed by the SEC, companies would need to update reports on previously disclosed breaches.

Companies would be required to describe how they manage cybersecurity risks, “including whether the registrant considers cybersecurity as part of its business strategy, financial planning and capital allocation,” the SEC said. They would also need to disclose the board’s role in cybersecurity oversight, and the role of management in containing risks.

The SEC proposal “flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us,” Commissioner Hester Peirce said before casting the lone “no” vote.

“The governance disclosure requirements embody an unprecedented micromanagement by the commission of the composition and functioning of both the boards of directors and management of public companies,” Peirce said. 

When sanctioning companies for failures in cyber risk disclosure, the SEC will likely index penalties to the extent of the damage, SEC Senior Counsel Arsen Ablaev said in November.

The SEC Enforcement Division’s Cyber Unit “will continue to dig deeper into the area of cybersecurity-related disclosures and disclosure controls and internal controls,” according to Ablaev, a member of the Cyber Unit.

If compromised data is related to a company’s “critical business, the more likely we are to find materiality and the more likely we are to assign a kind of higher penalty amount to these cases,” he said at Securities Enforcement Forum 2021.