U.S. Markets Regulator Will Require Companies To Report Cyber Incidents

UK and EU are investigating Google and Facebook's ad practices; CA attorney general issues CCPA opinion

The Wavelength is now a subscription newsletter, so if you want access to all the content, join those who have already subscribed.  

And, it bears mention that content on technology policy, politics, and law that preceded the Wavelength can be found on my blog.

Photo by Martin Ceralde on Unsplash

The United States (U.S.) Securities and Exchange Commission (SEC) has proposed changing its material disclosure regulations to require publicly traded companies to disclose “material cybersecurity incidents” shortly after they are discovered as opposed to the current regime that allows companies to reveal these occurrences in their quarterly and annual reports. The agency provides a host of reasons for the proposed changes, including harm to investors, financial markets, and the U.S. The agency is using its broad authority over companies that are publicly traded to expand current reporting requirements. The agency has issued interpretive guidance[1] to these companies over the last decade that staff claims has resulted in inconsistent reporting on cybersecurity incidents. And, hence, as a means of getting material information to investors, these companies could soon have affirmative duties to report material cybersecurity incidents in publicly available documents.

In the recent past, the SEC has charged entities subject to the agency’s jurisdiction with violating other requirements related to cybersecurity. For example, in August 2021, the SEC “sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.” In June 2021, the agency “settled charges against real estate settlement services company First American Financial Corporation for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.” And with the issuance of final rules requiring publicly traded companies to disclose material cybersecurity incidents, the SEC will have another set of tools to use to provide better insight into the cybersecurity of many sectors of the U.S. economy and ideally drive better cybersecurity.