Paul Ferrillo is partner at Seyfarth Shaw LLP; Bob Zukis is Adjunct Professor of Management and Organization at the USC Marshall School of Business; and Christophe Veltsos is a Professor at Minnesota State University.
One month prior to their March 9th announcement, the SEC released their proposed cyber rules specifically for registered investment advisers and registered investment funds. They have now turned their attention to public reporting companies and are proposing regulatory changes to cyber incident reporting, cyber risk management and cyber governance.
The last time the SEC issued interpretive guidance for public companies on cyber risk was in 2018 (see 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures). [1] Since then, there have been litigation releases that have also provided guidance to public companies on their cybersecurity disclosure controls and obligations. [2] We summarized some of these releases in a prior Harvard Law Forum article to help public companies understand the scope of their reporting obligations. [3]
What these prior Commission statements and litigation releases failed to deliver on, the new proposed rules significantly raise the bar on. These proposed rules appreciably increase corporate accountability on cyber risk from the boardroom on down. By becoming more specific and prescriptive the SEC is addressing observed shortcomings and inconsistencies in cyber incident reporting practices that range from whether an incident is even disclosed, what gets disclosed as well as when and how companies govern and manage cyber risk. No longer just unevenly interpreted self-regulatory guidance, these are proposed regulatory changes that apply to all issuers.
On March 9, 2022, when the SEC turned its attention to public companies, SEC Chair Gensler commented: