Security and Exchange Commission compliance (SEC) , Standards, Regulations & Compliance

SEC Aims to Avoid Cyber Disclosure Rule 'Compliance Burdens'

Official Says Disclosure Rule Includes Exceptions, Extensions for Smaller Companies
SEC Aims to Avoid Cyber Disclosure Rule 'Compliance Burdens'
The new U.S. SEC reporting rule for material cyber incidents goes into effect Dec. 18 for large public companies. (Image: Shutterstock)

The U.S. Securities and Exchange Commission is providing extra time for smaller companies to follow a new cyber incident reporting rule and is working with a variety of organizations to avoid "compliance burdens," according to a top official from the federal regulatory agency.

See Also: New OnDemand: How CISOs Can Ace Cyber Risk Reporting to the Board and the SEC

Erik Gerding, director of the SEC's Division of Corporation Finance, said Wednesday the new disclosure rule - which requires public companies to report material cyber incidents within four days of determining a material impact on the organization or its customers - is meant to provide investors with actionable information about cybersecurity risks (see: SEC Votes to Require Material Incident Disclosure in 4 Days).

"It's not about playing gotcha with public companies," Gerding said at the Aspen Cyber Summit in New York City. "It's about actually providing information that's useful for investors."

The disclosure rule officially goes into effect on Dec. 18, though smaller companies will have an additional 180 days to comply with the new requirements, which include releasing annual reports that feature information about basic risk management and governance practices (see: SEC Breach Disclosure Rule Makes CISOs Assess Damage Sooner).

Gerding said the new rule also ensures that public disclosures of material cyber incidents won't provide cybercriminals with a road map to conduct their next attacks. He said the rule does not include reporting requirements that would provide revealing technical specifics but instead focuses on providing real-time investment insights on companies' cybersecurity risk management operations.

"Investors really don't have a good picture into what losses companies may face from cybersecurity incidents," Gerding said, "and what investors are really looking for is to be able to tell which companies are dealing with more risk."

Despite previously raised concerns from industry and even some SEC commissioners that the new regulations could pose security risks for publicly traded companies and even raise national security concerns, Gerding said the rule includes important exceptions for certain cases.

Under the rule, the attorney general can make the determination that a public disclosure of a cyber incident could pose a significant risk to public safety or national security.

"That gives public companies more chances to work with the Department of Justice, the FBI or other national security and law enforcement agencies to address secret cybersecurity events," Gerding said.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.