SEC wading deeper into cybersecurity for advisers, public firms

Amid its active regulatory slate, the Securities and Exchange Commission has made cybersecurity a focus this year.

The commission in February and March proposed rules aimed at enhancing cybersecurity disclosures for investment advisers and public companies, respectively.

The first proposal would require investment advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm clients and investors. The proposed rules would also require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the commission on a new confidential form.

The public company-focused proposal would require companies to report material cybersecurity incidents on Form 8-K filings within four business days. In describing what the agency constitutes as "materiality," the SEC cited a previous case that found information is material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision or if it would have "significantly altered the 'total mix' of information made available."

Scott H. Kimpel, Washington-based partner with law firm Hunton Andrews Kurth LLP, said he's concerned with how the proposal could impact "cumulative materiality."

"Companies are under constant assault; they're repelling the vast majority of attacks on a daily basis and any of those individually is immaterial, but if you have 100 assaults during the day that are nonetheless repelled, is it still material?" he said. "There's not a lot of guidance in the release on that."

He added, "What exactly does that mean if the events are not related to one another? I think that's something our industry is going to have to think through."

The proposal would also require a company to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether it considers cybersecurity as part of its business strategy, financial planning and capital allocation. Further, the proposal would require disclosure about a board's oversight of cybersecurity risk, and management's role and expertise in assessing and managing cybersecurity risk and implementing the company's cybersecurity policies, procedures and strategies, the SEC noted in a fact sheet.

On board oversight disclosure, "No company is going to want to disclose that they have no cybersecurity expertise once it becomes a mandatory thing to do, so every board is going to be scrambling to find people," Mr. Kimpel said.

He added, "I am concerned a bit that we're going into this one-size-fits-all governance model and boards are becoming less strategic thinkers and more micromanaging regulatory compliance, which is only one facet of their roles. I wonder if that starts to crowd out opportunity for the long-term thinking that actually generates new business opportunities and leads to the growth that investors want."

SEC Chairman Gary Gensler said in a March 9 news release that cybersecurity today is an emerging risk with which public issuers increasingly must contend. "Investors want to know more about how issuers are managing those growing risks," he said. "A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable and decision-useful manner."

The rule proposal was approved March 9 in a 3-1 vote, with the commission's lone Republican, Hester M. Peirce, dissenting.

Prior to the vote, Ms. Peirce said that while the SEC regulates public companies' disclosures, it does not regulate their activities. "While the integration of cybersecurity expertise into corporate decision-making likely is a prudent business decision for nearly all companies, whether, how and when to do so should be left to business — not SEC — judgment," Ms. Peirce said. "Regulators may have a role to play in working with companies on cybersecurity, but we are not the regulators with the necessary expertise."

The U.S. Chamber of Commerce and business community are concerned the SEC's proposed rule may conflict with recently passed federal cyber incident reporting legislation and will not meaningfully enhance investor protection, said Christopher D. Roberti, Washington-based senior vice president for cyber, intelligence and supply chain security policy at the Chamber, in a statement.

In March, Congress passed, and President Joe Biden signed, the Cyber Incident Reporting for Critical Infrastructure Act of 2022. It requires owners and operators of critical infrastructure, such as dams and nuclear reactors, to report certain cyber incidents to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency within 72 hours, and any ransomware payments within 24 hours.

The law will allow the federal government to collaborate quickly to respond to significant incidents, mitigate their impact and warn other potentially affected entities rapidly and discreetly, Mr. Roberti said. "The SEC proposed rule, in contrast, would seem to offer none of these benefits and existing requirements already require public companies to timely disclose material events under the federal securities laws."

The comment period for investment adviser cyber disclosure proposal closed April 11; the public company cyber disclosure proposal comment period closes May 9.