Amid its active regulatory slate, the Securities and Exchange Commission has made cybersecurity a focus this year.
The commission in February and March proposed rules aimed at enhancing cybersecurity disclosures for investment advisers and public companies, respectively.
The first proposal would require investment advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm clients and investors. The proposed rules would also require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the commission on a new confidential form.
The public company-focused proposal would require companies to report material cybersecurity incidents on Form 8-K filings within four business days. In describing what the agency constitutes as "materiality," the SEC cited a previous case that found information is material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision or if it would have "significantly altered the 'total mix' of information made available."
Scott H. Kimpel, Washington-based partner with law firm Hunton Andrews Kurth LLP, said he's concerned with how the proposal could impact "cumulative materiality."
"Companies are under constant assault; they're repelling the vast majority of attacks on a daily basis and any of those individually is immaterial, but if you have 100 assaults during the day that are nonetheless repelled, is it still material?" he said. "There's not a lot of guidance in the release on that."
He added, "What exactly does that mean if the events are not related to one another? I think that's something our industry is going to have to think through."
The proposal would also require a company to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether it considers cybersecurity as part of its business strategy, financial planning and capital allocation. Further, the proposal would require disclosure about a board's oversight of cybersecurity risk, and management's role and expertise in assessing and managing cybersecurity risk and implementing the company's cybersecurity policies, procedures and strategies, the SEC noted in a fact sheet.
On board oversight disclosure, "No company is going to want to disclose that they have no cybersecurity expertise once it becomes a mandatory thing to do, so every board is going to be scrambling to find people," Mr. Kimpel said.
He added, "I am concerned a bit that we're going into this one-size-fits-all governance model and boards are becoming less strategic thinkers and more micromanaging regulatory compliance, which is only one facet of their roles. I wonder if that starts to crowd out opportunity for the long-term thinking that actually generates new business opportunities and leads to the growth that investors want."