The U.S. Securities and Exchange Commission (SEC) has proposed new cybersecurity risk management guidelines for corporate firms, requiring them to be more upfront with consumer disclosures. The new laws would be applied via modifications to several forms pertaining to cybersecurity disclosures, and they would notably target investment advisers, investment funds, and business development firms.
The SEC’s efforts to impose stronger regulations on cybersecurity disclosures are not new. Former SEC Commissioner Robert J. Jackson Jr. stated in 2018 that current disclosure regulations “err on the side of nondisclosure” and frequently kept investors in the dark when corporations suffered hacker or other cybersecurity incidents.
Currently, firm management is only obligated to keep boards of directors aware of cybersecurity risks, but they are not compelled to disclose them to investors or other consumers. According to a joint study conducted in 2021, just 17% of Fortune 100 businesses questioned in 2020 acknowledged cybersecurity problems to board members on an annual or quarterly basis.
It is unknown how this will influence the crypto business, which is seeing an increase in the number of investment funds including different digital assets and crypto derivatives in their portfolios. However, the proposed rules may result in a large number of disclosures from the crypto area.
SEC plans to change the law
SEC is keen to change this, having spent most of 2022 presenting several proposals that, if approved, would force public firms to report on cyber assaults and events. This is the case with the proposal for cybersecurity risk management for investment advisers, registered investment companies, and business development companies, which was released on February 9.
The SEC proposes new regulations under the Investment Advisers Act of 1940 in the paper to compel funds and advisers to establish new cybersecurity procedures. According to the paper, these rules and procedures are expressly designed to manage cybersecurity risks by forcing enterprises to disclose severe cybersecurity events involving the advisor, its fund, or private fund customers to the SEC. The SEC said in the proposal:
“We believe requiring advisers and funds to report the occurrence of significant cybersecurity incidents would bolster the efficiency and effectiveness of our efforts to protect investors, other market participants, and the financial markets in connection with cybersecurity incidents.”
According to Amil Farshchi, Equifax’s chief information security officer, the new standards will provide much-needed openness to corporate leadership and mandate unprecedented accountability when it comes to cybersecurity.
More regulations imply more power to SEC
Many people feel that the SEC’s new effort to take a more active role in improving cybersecurity standards directly results from the SolarWinds attack. The notorious event is widely regarded as one of the greatest cyber-espionage episodes in US history, with several areas of the federal government being attacked by a group of Russia-backed hackers.
The attackers infected upgrades from a U.S. government contractor, then used them as a springboard to infiltrate other government departments and businesses. Following the incident, the SEC addressed letters to corporate firms it considered in danger of being hacked, ordering them to self-report if they had been hacked and the extent of the harm caused by the hacks.
As a result of the low number of disclosures received, the Commission launched the Amnesty Program, which offered pardons to corporations that ultimately cooperated with the self-report requirement, even if they hadn’t previously revealed the occurrence to investors.
The initiative was deemed “noteworthy” at the time by the National Association of Corporate Directors, the Cyber Threat Alliance, and SecurityScorecard since it showed the SEC’s developing position on cyber risk. SecurityScorecard’s chief business and legal officer, Sachin Bansal, termed it a “watershed” moment for the SEC. Nonetheless, the SEC’s latest plan leaves many questions unanswered.
If the proposed laws are enforced, corporate firms would be required to disclose “substantial” or “major” cyber attacks. According to the SEC, “material” information is any information that has a “substantial possibility that a reasonable shareholder would deem it important.”
Many people believe that the SEC’s criteria are too broad to provide significant market transparency. Because the guidelines are imprecise, the SEC will have to interpret them on a case-by-case basis, providing leeway for firms to appeal verdicts and create precedents that might render the idea practically worthless.
There is, however, still potential for improvement. The SEC is not expected to vote on the plan for many weeks, giving industry participants plenty of time to raise their concerns and ideas with the Commission.
Read more:
- Dfns secures $13.5 million to develop cryptocurrency wallet password protection technology
- Whitehall Capital signs agreement with Securitize to let investors tokenize their fund