Better Markets filed a comment letter in response to the Securities and Exchange Commission’s proposal to establish comprehensive cybersecurity disclosure requirements for publicly traded companies.
Why It Matters. A recent survey of CEOs found that the top threat CEOs were most worried about over the next 12 months was cybersecurity, edging out the COVID-19 global health crisis. While we have seen the economic damage a global pandemic can have on companies of all sizes, we have also seen the crippling effects a major cyberattack or data breach can have on a company. These cyberattacks and data breaches can have material effects on a company’s business operations, reputation, and financials. Despite the serious risk posed by cybersecurity to a business’ operations, reputation, and financials, there are currently no regulations that directly address how companies should disclose cybersecurity risks, governance, and incidents to investors. This has led to a disclosure regime that lacks uniformity and leaves investors to search a company’s SEC disclosures, press releases, and website to find requisite cybersecurity information, if this information is even disclosed at all.
What We Said. The Proposal builds off previous guidance issued by the staff and the Commission to ensure more standardized and timely disclosures of cybersecurity risks, governance, and incidents to investors. The proposed Item 106 disclosures in Form 10-K will better inform investors of the cybersecurity risks posed to the operations, reputation, and financials of a publicly traded company. Additionally, the proposed Item 1.05 in Form 8-K will inform investors of material cybersecurity incidents in a timely manner which minimizes the ability of corporate insiders and malicious actors to trade on material, nonpublic information at the expense of investors. Along with our broad support for the Proposal, we highlighted a few ways in which it should be strengthened by enhancing some of the required disclosures and expanding the class of cybersecurity incidents that trigger a disclosure obligation.
Bottom Line. Better Markets supports the Commission’s proposed rule to establish comprehensive cybersecurity disclosure requirements for publicly traded companies, which would provide investors with more standardized and timely material information about the cybersecurity risks, governance, and incidents that face publicly traded companies in today’s financial markets.
Read our full Comment Letter here or click the button below.