Industry groups, regulators and elected officials submitted feedback on the SEC's proposed disclosure requirements regarding cybersecurity risk management, governance, strategy and incident reporting by public companies. As previously covered, the SEC's proposed requirements would require issuers to, among other things, (i) inform investors about an issuer's risk management strategy and governance and (ii) provide prompt notification to investors of material cybersecurity incidents within four business days, as well as periodic updates on such incidents.
SIFMA urged the SEC to "distinguish between its role as prudential regulator for regulated entities versus its role to assure that public filings under the Exchange Act meaningfully inform investors regarding their investment decisions." SIFMA called for the proposal to be reevaluated to give deference to public companies' prudential regulators and relevant cybersecurity specialist agencies like CISA, and suggested, among other things:
The Structured Finance Association focused on the lack of discussion in the proposal on asset-backed issuers that do not have operations and businesses to which the disclosure framework could apply.
Nasdaq highlighted concerns from a group of its listed companies regarding the proposal. Nasdaq noted:
The Chamber of Commerce pointed to "significant flaws," including that the proposal:
NASAA supported the proposal, but recommended (i) providing a reporting delay for cybersecurity incidents subject to ongoing external investigations in order to avoid undermining law enforcement efforts and (ii) requiring companies that do not have cybersecurity policies to explicitly state that and to provide an explanation for why they have not implemented any such policies.
The Council of Institutional Investors supported the proposal, citing the importance of a company's board in navigating cybersecurity risk management, disclosing the board's oversight and experience to assist investors in making informed votes on directors and requiring timely disclosure of material cyber events to avoid investor harm.
Seven Senators joined in support of the proposal, highlighting similarities to the Cybersecurity Disclosure Act that had been introduced by the group. The Senators emphasized that (i) cybersecurity was an integral part of shareholder value, (ii) the proposal provided incentives for public companies to step-up their cybersecurity efforts and (iii) the proposal addressed the risks that cybersecurity poses to all public companies.
Senator Rob Portman, Ranking Member of the Senate Committee on Homeland Security and Governmental Affairs, opposed the public and detailed nature of disclosing material cybersecurity incidents, stating that cyber criminals will use this information to exploit national cybersecurity and hinder law enforcement efforts to combat cyberattacks. Senator Portman suggested, among other things, that (i) the SEC include a "Law Enforcement Investigation Exemption" to allow companies to delay disclosure of cybersecurity incidents in the event of an ongoing law enforcement investigation and (ii) companies should not be required to disclose cybersecurity incidents if there is an ongoing internal investigation related to that cybersecurity incident. Senator Portman noted Congress's intent that the Cyber Incident Reporting for Critical Infrastructure Act be "the primary mechanism for companies to report cyber incidents" and juxtaposed how the Act provides for such exemptions.
The SEC proposed new disclosure requirements regarding cybersecurity risk management, governance, strategy, and incident reporting by public companies.