Gary Gensler
The SEC adopted new rules Wednesday requiring enhanced cybersecurity disclosures for public companies and approved a rule proposal focused on investment advisers' and broker dealers' use of artificial intelligence.
The cybersecurity rule passed in a 3-2 vote, as Republican Commissioners Hester M. Peirce and Mark T. Uyeda voted against the rule, while Democrats on the commission supported it.
One controversial aspect of the rule is the timeline it provides for public companies to disclose a cybersecurity incident on Form 8-K. If companies determine an incident is material, they must disclose that incident within four business days of that determination, the rule states.
"The disclosure may be delayed if the United States attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the commission of such determination in writing," an SEC news release states.
The rule also requires that companies disclose their cybersecurity risk management, strategy and governance in annual reports, and requires similar disclosures from foreign private issuers.
Ms. Peirce said Wednesday that obtaining approval from the attorney general within four business days would be "quite a feat," and she expressed concern that even pared back disclosures would put additional burdens on companies.
Chairman Gary Gensler pointed out that the rule, unlike the original proposal issued in March 2022, does not require any disclosures of non-material information related to incidents. He also said many public companies already disclose cybersecurity information to investors.
"I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way," Mr. Gensler said Wednesday.
"This rule, in conjunction with other cybersecurity-related reforms the SEC is pursuing, will better protect investors, companies, and markets from these increasingly damaging and predatory events," Stephen Hall, legal director and securities specialist at Better Markets, said in a news release Wednesday.
In another 3-2 vote along party lines, the commission also voted to issue a proposal aimed at addressing conflicts of interest in investment advisers' and broker dealers' use of artificial intelligence and similar technologies.
Specifically, the proposal directs investment advisers and broker dealers to "evaluate and determine whether its use of certain technologies in investor interactions involves a conflict of interest that results in the firm's interests being placed ahead of investors' interests," an SEC news release states. If such a determination is made, then firms must eliminate or neutralize the effect of the conflicts.
In a speech at the National Press Club last week, Mr. Gensler said that while AI offers many benefits, it also poses risks due to its potential for biases.
"The outcomes of its predictive algorithms may be based on data reflecting historical biases as well as latent features that may inadvertently be proxies for protected characteristics," Mr. Gensler said July 17.
On Wednesday, Mr. Gensler said that the rule proposal would help protect against conflicts of interest and "require that, regardless of the technology used, firms meet their obligations … not to place their interests ahead of investors' interests."
A spokesperson for the Investment Company Institute said while they welcome the SEC's consideration of technology's implications, "the ever-evolving technology landscape makes it important that the industry has consistent, technology-neutral rules," and the commission should be careful not to limit an investor's ability to choose their preferred investment professional or product.
Separately, the SEC voted unanimously to issue a rule proposal aimed at modernizing the "internet adviser exemption," which allows investment advisers offering services over the internet to register with the SEC even if they don't meet the typical threshold to do so. The new proposal would require advisers relying on this exemption to have an operational, interactive website through which they provide advisory services to more than one client at a time.
