WASHINGTON, D.C.—Today, the U.S. Securities and Exchange Commission (SEC) finalized a rule that requires publicly traded companies to disclose significant cybersecurity incidents and to inform investors about their policies and procedures regarding cybersecurity risk management. Legal Director and Securities Specialist Stephen Hall released the following statement:
“Cybersecurity is one of the most important issues that publicly traded companies face. In fact, CEOs put cyberattacks at the top of their list of concerns. This rule, in conjunction with other cybersecurity-related reforms the SEC is pursuing, will better protect investors, companies, and markets from these increasingly damaging and predatory events.
“As we explained in our comment letter, the threats to a company’s cybersecurity continue to grow, as do the ramifications for companies that experience significant cybersecurity incidents. Denial-of-service attacks and ransomware or other malware attacks can cripple a company, damaging the company’s reputation and harming investors. Large scale cyberattacks can also have cascading effects across the economy. These risks will continue to increase as companies become more dependent on digitizing their operations and store more and more valuable data within their networking systems. For these reasons, investors need to know as soon as possible when a company experiences a material cybersecurity incident and they need information about a company’s cybersecurity strategy and the role of its board and management in executing that strategy.
“We applaud the SEC for finalizing a rule that provides investors with the information that they need. The rule will ensure that disclosures by publicly traded companies about cybersecurity are mandatory, uniform, easy to find, and comparable. The rule requires publicly traded companies to disclose information about a material cybersecurity incident within four business days after they determine that they have experienced such an incident. The rule further requires publicly traded companies to include in their periodic reports disclosures about their policies and procedures for the identification and management of risks from cybersecurity threats; disclosures about the board’s and management’s oversight of cybersecurity risk; and disclosures about management’s cybersecurity expertise. The final rule did take a step backward by removing the proposed requirement that publicly traded companies also disclose information about the board’s cybersecurity expertise. When it comes to board expertise and engagement, the SEC should be asking for more, not less, transparency.
“Overall, the final rule is strong, and it will help protect investors from the consequences of cyberattacks at publicly traded companies. Prompt reporting of material cybersecurity incidents will enable investors to consider the impact of an attack on their investment and will minimize the ability of corporate insiders and malicious actors to trade on material, nonpublic information at investors’ expense. And information about a company’s policies and procedures regarding cybersecurity will enable investors to better assess and compare how companies manage cybersecurity risks.”
Better Markets is a non-profit, non-partisan, and independent organization founded in the wake of the 2008 financial crisis to promote the public interest in the financial markets, support the financial reform of Wall Street and make our financial system work for all Americans again. Better Markets works with allies—including many in finance—to promote pro-market, pro-business and pro-growth policies that help build a stronger, safer financial system that protects and promotes Americans’ jobs, savings, retirements and more. To learn more, visit www.bettermarkets.org.