SEC’s Proposed Cybersecurity Rule: Balancing Disclosure and Practicality

In September 2023,the Securities and Exchange Commission (SEC) introduced the Proposed Rule for Public Companies (PRPC), a significant step towards enhancing cybersecurity disclosure, governance, and risk management for public companies. While the intent behind this rule is undoubtedly noble, it has sparked substantial debate and pushback. The PRPC’s current form leaves ample room for interpretation and raises practical concerns, especially regarding the stringent disclosure timeline. This article delves into the intricacies of the proposed rule and explores the challenges it poses to chief information security officers (CISOs) and public companies.The Unreasonable Burden of Tight TimelinesOne of the most contentious aspects of the PRPC is the requirement for companies to report “material” cybersecurity incidents within a mere four days. This timeline places enormous pressure on CISOs, forcing them to disclose incidents before they can gather all pertinent details. The complexity of cybersecurity incidents often means that understanding and fully remediating them can take weeks or even months. This rush to report may lead to disclosing vulnerabilities that, with more time, might be deemed less material. Such premature disclosures can potentially impact a company’s short-term stock price.Incidents Are Dynamic, Not StaticCybersecurity incidents are not one-and-done affairs; they are dynamic and evolve over time. Comparing this disclosure window to the European Union’s General Data Protection Regulation (GDPR), which mandates reporting incidents of non-compliance within 72 hours, reveals nuances. GDPR demands reporting within a defined timeframe, but what constitutes a reportable incident is well-defined. While 72 hours may be insufficient to fully grasp the overall impact of an incident, organizations usually know if personal information has been compromised. In contrast, PRPC’s disclosure requirements, with an additional 24-hour buffer, hinge on the internal qualification of the breach’s materiality. “Materiality” is broadly defined as anything that a “reasonable shareholder would consider important,” making it a subjective and vague criterion.Vague Definitions Breed UncertaintyThe proposed rule introduces another challenge with its requirement to disclose incidents that were not material on their own but became so “in aggregate.” This raises questions about how this works in practice. Does an unpatched vulnerability from six months ago suddenly qualify for disclosure if it was used to extend the scope of a subsequent incident? The ambiguity of this provision blurs the lines between threats, vulnerabilities, and business impact. Vulnerabilities that are not exploited are not material because they do not create a business impact. The rule’s language adds complexity to deciphering what needs to be disclosed and how the aggregation clause further complicates this assessment.Additionally, the rule necessitates disclosing policy changes resulting from previous incidents. The depth of this requirement and its practical implications remain unclear. Policies are typically high-level statements of intent and are not meant to be detailed forensic configuration guides. While certain updates, such as mandating specific encryption algorithms, make sense, the rule does not specify which policy changes warrant disclosure. This lack of clarity raises questions about how rigorously this will be enforced and why it is necessary.Quarterly Earnings Calls: An Unsuitable ForumThe PRPC stipulates that quarterly earnings reports will serve as the forum for cybersecurity disclosures. This choice raises practical concerns. Quarterly earnings calls are primarily financial events, and having the Chief Financial Officer (CFO) or CEO discuss cybersecurity matters may not be ideal. CISOs may need to join these calls, but this opens a new set of questions. Will CISOs respond to questions from financial analysts? These calls are traditionally focused on financial performance, and it remains to be seen how effectively cybersecurity updates can be integrated into this format.Addressing Board Experience and CommunicationThe initial iteration of the PRPC mandated disclosures regarding board oversight of cybersecurity risk management policies, including details about individual board members’ cyber expertise. After scrutiny, this requirement was removed. However, the rule still emphasizes the need for companies to describe the board’s process for overseeing cybersecurity risks and management’s role in handling these risks. This highlights an existing gap in communication between boards and security executives.To bridge this gap, greater alignment between the board and security executives is imperative. Dr. Keri Pearlson and Lucia Milică’s survey revealed that less than half of board members regularly interact with their CISOs. This underscores the need for improved communication and awareness.ConclusionThe PRPC is a step towards strengthening cybersecurity governance for public companies, but it poses practical challenges and uncertainties. As this rule evolves, it remains to be seen how companies will adapt to meet the proposed requirements. Striking a balance between the imperative for transparency and the practicality of implementation will be crucial for the rule’s success. Ultimately, the cybersecurity landscape continues to evolve, and regulations must evolve in tandem to effectively address emerging threats.