The Society submitted this comment letter in response to the SEC’s request for comments on its “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rulemaking proposal (reported on here).
As detailed in the letter, the Society recommends that the SEC:
- Narrow the definition of reportable cyber incidents to include only those that cause injury or a material impact
- Allow companies to delay disclosure so they don’t interfere with law enforcement or national security investigations
- Adjust the disclosure framework to reflect state notification statues, the complexity of assessing the materiality of cyber incidents, and the need for issuers to remediate vulnerabilities before public disclosure
- Protect companies from the costs of frivolous securities litigation by providing a safe harbor and/or allowing “furnished” incident disclosures
- Not require issuers to speculate on the cumulative impact of previously disclosed cybersecurity incidents
- Allow greater flexibility for companies to explain how their boards and management teams oversee and manage cybersecurity risks
The Society thanks Society member Carolyn Frantz and her team at Orrick, who prepared the first draft of this letter, and the more than 40 Society members who reviewed drafts of the letter and provided their companies’ perspectives and suggested edits.
Additional comment letters are here.
See “Businesses Seek to Soften SEC Cyber Rules” (WSJ) and additional resources on our Cybersecurity/Data Privacy page.
This post first appeared in the weekly Society Alert!