On July 25, 2023, the United States Securities and Exchange Commission (SEC), by a slim majority (3-2 vote), embraced final rules revolving around cyber security risk management, strategy, governance, and incident reporting by public companies. The news was reported by JD Supra.
These newly adopted rules, known as the Final Rules, serve a twofold purpose. Principally, they aim to enhance and standardize disclosures regarding related topics such as cyber security risk management, strategy, governance, and any sizeable cyber security incidents by registrants. The target of these augmentations are registrants who are under the reporting conditions of the Securities Exchange Act.
The decision, while not unanimously embraced, is a reflection of the agency’s growing concern about the potential financial impacts of cyber threats on public companies, their stakeholders, and the broader economy. In implementing these rules, the SEC joins a growing chorus of regulatory bodies globally that are forcing companies to take cyber security pressures more seriously.
It’s important to stress the SEC’s new rules are not just about forcing companies to reveal when they have been attacked but are about creating a standard for all disclosures related to cyber-security risks. As such, they include the requirement to disclose details about the governance structures set up to manage those risks as well as cyber security strategies.
However, the split decision signals that there are still debates within the regulatory community about the best way to approach the issue, and how much onus to put on companies themselves. While some support a more hands-on, prescriptive approach, others voice concerns that too much regulation might snuff out innovation.