Speedy disclosures present possible headaches for boards and companies.
The SEC recently proposed amendments to its regulations to strengthen and standardize disclosures by public companies in the areas of cybersecurity risk management, strategy, governance and incident reporting.
The amendments would require up-to-date reporting on cybersecurity incidents and periodic reporting to supply updates on previously reported incidents. It would also mandate disclosures on:
⢠A registrant's policies and procedures to pinpoint and manage cybersecurity risks
⢠The registrant's board of directors' monitoring of cybersecurity risk
⢠Management's role and qualifications for assessing and managing cyber risk and instituting cybersecurity procedures
The SEC wants to inform investors more effectively about a company's risk management, strategy and governance, and to provide faster notice of material cybersecurity issues. Anna Pinedo, partner and coleader, global capital markets, for law firm Mayer Brown, says the proposed amendments are in keeping with the SEC's current approach toward stricter, more standardized disclosures across companies. “I can't say that I agree with the approach that they have taken, but that's the stated rationale.”
Pinedo believes that a major motivation for the SEC is to have companies disclose cybersecurity incidents earlier, as opposed to waiting for the results of detailed investigations to determine materiality. She notes that the proposal would bring about much more detailed requirements for companies on what information they would need to disclose, including whether they engage a consultant or auditor, what sort of preventive procedures they engage in to minimize risk, and the details of their contingency and recovery plans. These disclosures would include information pertaining to boards as well, with Pinedo saying that the SEC would be seeking information on who is responsible for monitoring of cybersecurity risks, the experience of the board on cybersecurity and more.
“They're digging very deep into these oversight issues, which I think many companies and boards would find somewhat intrusive and certainly much more detailed than we've seen before.”
According to Pinedo, the early-disclosure language of the proposal in its current form would affect companies in several ways, including forcing early discussions with company accountants on loss contingencies and requiring disclosure of information when disclosure may be premature. She notes that in the early stages of a cybersecurity event, it is too soon to determine whether the breach will have major ramifications.
“There's very little room for judgment,” says Pinedo. “Hopefully, during the comment period, the rules on disclosure timing will be softened and will become a little more measured.”
As for board impact, Pinedo believes decisions around board composition will be immediately affected.
“That's almost inevitable, because very few companies are going to want to be in a position where they disclose that they don't have a board member with particular cyber expertise.”
Pinedo acknowledges that part of the SEC's disclosure standardization goal is to make it easier for investors to compare information from company to company and to make that information less complicated to find. However, she is concerned about how the early disclosure of cybersecurity events may be perceived by investors. “I fear that if investors see an 8K from a company, they will jump to a conclusion and assume that information is being included because it is per se material.”
Pinedo expresses dissatisfaction over a set of rules that she finds “prescriptive” and “intrusive.”
“The pendulum has swung from very principles-based disclosure in the last few years to very prescriptive disclosure, and we've missed the middle completely. It would have been nice if we could have landed somewhere in the middle, especially on a topic as important as cyber. I hope that the commenters will take the opportunity to comment on this. The proposal is a challenge.”