Industry groups, regulators and elected officials submitted feedback on the SEC's proposed disclosure requirements regarding cybersecurity risk management, governance, strategy and incident reporting by public companies. As previously covered, the SEC's proposed requirements would require issuers to, among other things, (i) inform investors about an issuer's risk management strategy and governance and (ii) provide prompt notification to investors of material cybersecurity incidents within four business days, as well as periodic updates on such incidents.

SIFMA

SIFMA urged the SEC to "distinguish between its role as prudential regulator for regulated entities versus its role to assure that public filings under the Exchange Act meaningfully inform investors regarding their investment decisions." SIFMA called for the proposal to be reevaluated to give deference to public companies' prudential regulators and relevant cybersecurity specialist agencies like CISA, and suggested, among other things:

• cutting back on the amount of public disclosure of sensitive and highly subjective information, because such disclosure would benefit cyber attackers more than investors;
• providing more time for companies to make disclosures when they are conducting internal cybersecurity investigations; and
• taking the time to evaluate the proposal, given the pace at which the SEC is currently introducing new rules.

Structured Finance Association

The Structured Finance Association focused on the lack of discussion in the proposal on asset-backed issuers that do not have operations and businesses to which the disclosure framework could apply.

Nasdaq

Nasdaq highlighted concerns from a group of its listed companies regarding the proposal. Nasdaq noted:

• the four-business-day reporting deadline following an incident may interfere with a company's ability to understand the nature and scope of the breach, its potential impact and remediation of the incident;
• the burden on smaller public companies to comply with the governance and reporting requirements of the proposal; and
• the need for a delay in reporting of a cybersecurity incident when an investigation is ongoing.

Chamber of Commerce

The Chamber of Commerce pointed to "significant flaws," including that the proposal:

• is not consistent and clear, in that it leaves businesses with "multiple conflicting cybersecurity reporting directives from several U.S. agencies";
• requires too much information about companies' cybersecurity policies and practices - information which could provide a "road map" for bad actors and hostile nation states, which in turn harms investor protection and capital formation; and
• has not been subject to a full economic analysis in order to take into account the expected costs of its enactment.

NASAA

NASAA supported the proposal, but recommended (i) providing a reporting delay for cybersecurity incidents subject to ongoing external investigations in order to avoid undermining law enforcement efforts and (ii) requiring companies that do not have cybersecurity policies to explicitly state that and to provide an explanation for why they have not implemented any such policies.

Council of Institutional Investors

The Council of Institutional Investors supported the proposal, citing the importance of a company's board in navigating cybersecurity risk management, disclosing the board's oversight and experience to assist investors in making informed votes on directors and requiring timely disclosure of material cyber events to avoid investor harm.

Legislators

Seven Senators joined in support of the proposal, highlighting similarities to the Cybersecurity Disclosure Act that had been introduced by the group. The Senators emphasized that (i) cybersecurity was an integral part of shareholder value, (ii) the proposal provided incentives for public companies to step-up their cybersecurity efforts and (iii) the proposal addressed the risks that cybersecurity poses to all public companies.

Senator Rob Portman, Ranking Member of the Senate Committee on Homeland Security and Governmental Affairs, opposed the public and detailed nature of disclosing material cybersecurity incidents, stating that cyber criminals will use this information to exploit national cybersecurity and hinder law enforcement efforts to combat cyberattacks. Senator Portman suggested, among other things, that (i) the SEC include a "Law Enforcement Investigation Exemption" to allow companies to delay disclosure of cybersecurity incidents in the event of an ongoing law enforcement investigation and (ii) companies should not be required to disclose cybersecurity incidents if there is an ongoing internal investigation related to that cybersecurity incident. Senator Portman noted Congress's intent that the Cyber Incident Reporting for Critical Infrastructure Act be "the primary mechanism for companies to report cyber incidents" and juxtaposed how the Act provides for such exemptions.