SEC Aims to Avoid Cyber Disclosure Rule 'Compliance Burdens'Official Says Disclosure Rule Includes Exceptions, Extensions for Smaller Companies
The U.S. Securities and Exchange Commission is providing extra time for smaller companies to follow a new cyber incident reporting rule and is working with a variety of organizations to avoid "compliance burdens," according to a top official from the federal regulatory agency.
Erik Gerding, director of the SEC's Division of Corporation Finance, said Wednesday the new disclosure rule - which requires public companies to report material cyber incidents within four days of determining a material impact on the organization or its customers - is meant to provide investors with actionable information about cybersecurity risks (see: SEC Votes to Require Material Incident Disclosure in 4 Days).
"It's not about playing gotcha with public companies," Gerding said at the Aspen Cyber Summit in New York City. "It's about actually providing information that's useful for investors."
The disclosure rule officially goes into effect on Dec. 18, though smaller companies will have an additional 180 days to comply with the new requirements, which include releasing annual reports that feature information about basic risk management and governance practices (see: SEC Breach Disclosure Rule Makes CISOs Assess Damage Sooner).
Gerding said the new rule also ensures that public disclosures of material cyber incidents won't provide cybercriminals with a road map to conduct their next attacks. He said the rule does not include reporting requirements that would provide revealing technical specifics but instead focuses on providing real-time investment insights on companies' cybersecurity risk management operations.
"Investors really don't have a good picture into what losses companies may face from cybersecurity incidents," Gerding said, "and what investors are really looking for is to be able to tell which companies are dealing with more risk."
Despite previously raised concerns from industry and even some SEC commissioners that the new regulations could pose security risks for publicly traded companies and even raise national security concerns, Gerding said the rule includes important exceptions for certain cases.
Under the rule, the attorney general can make the determination that a public disclosure of a cyber incident could pose a significant risk to public safety or national security.
"That gives public companies more chances to work with the Department of Justice, the FBI or other national security and law enforcement agencies to address secret cybersecurity events," Gerding said.