Reed: SEC’s New Cybersecurity Disclosure Rule for Public Companies a Starting Point, Will Continue Pressing for Enhanced Cybersecurity Disclosure Governance
WASHINGTON, DC – Today, after the U.S. Securities and Exchange Commission (SEC) voted to modernize and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies, U.S. Senator Jack Reed (D-RI), the author of the Cybersecurity Disclosure Act, issued the following statement:
“Public companies need to take cybersecurity seriously and make it a top priority. From major data breaches at companies like Equifax, Marriott, and Yahoo, we have seen the damage that data hacks or lax cyber security measures can lead to, endangering not just the financial health of individual companies but their customers and everyone they do business with. It’s not enough for companies to disclose cyber exposures once a breach has occurred. Rather, companies need to disclose more information about how their directors understand the importance of cyber security and manage that risk accordingly.
“I’ve long believed that companies need to be accountable at the highest level in order to ensure that cyber risk gets the appropriate level of attention. That’s why I led a bipartisan group of Senators in introducing legislation to require the SEC to write rules for companies to disclose board-level cybersecurity expertise.
“The SEC’s original proposal would have implemented this bipartisan legislation. But the SEC has watered down the rule by requiring general disclosure of the board’s oversight of cyber risk, without requiring specific disclosure of directors’ qualifications regarding cybersecurity.
“While this approach is an improvement, it does not provide appropriate incentives for companies to proactively address cyber risk. It also leaves investors without critical information about cyber expertise at the highest level of public companies.
“I consider today’s announcement a starting point. I will continue to press the SEC and public companies to take cyber risk more seriously and continue pressing for legislative fixes to protect investors and our economy.”
In March of 2022, the SEC published proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The proposed rules sought to enhance and standardize disclosures regarding public companies’ cybersecurity risk governance, including disclosure of whether any directors on a company’s board have cybersecurity expertise. The proposed rules would affect public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
In May of 2022, Senator Reed led a bipartisan comment letter to the SEC, along with U.S. Senators Catherine Cortez Masto (D-NV), Kevin Cramer (R-ND), Angus King (I-ME), Ron Wyden (D-OR), Mark Warner (D-VA), and Susan Collins (R-ME) urging the agency to finalize rules regarding disclosures of the board’s oversight of cybersecurity risks.
The seven Senators, all cosponsors of the Cybersecurity Disclosure Act, urged the SEC to issue the exact rules that the agency proposed in March to require publicly traded companies to disclose whether they have cybersecurity expertise on their boards of directors.
The Senators wrote: “The Proposal would implement bipartisan legislation that we have introduced called the Cybersecurity Disclosure Act. That legislation directs the SEC to issue rules requiring each public company to disclose, in its annual report or annual proxy statement, whether any member of its governing body has expertise or experience in cybersecurity, including details necessary to describe fully the nature of that expertise or experience. And if no member has such expertise or experience, a company would be required to describe what other aspects of the company’s cybersecurity were considered by any person, such as an official serving on a nominating committee, who is responsible for identifying and evaluating nominees for membership to the governing body.
“The Proposal follows the intent of our bill by encouraging directors to play a more effective role in cybersecurity risk oversight at public companies, and we commend the SEC for issuing a Proposal that would achieve this important goal.”