SEC Adopts New Cyber-Incident Disclosure Rules for Public Companies

The Securities and Exchange Commission (SEC) adopted new rules requiring publicly traded companies to disclose hacking incidents, a measure officials said was to help the investing public contend with the mounting cost and frequency of cyber attacks.

Source: Reuters | Published on July 27, 2023

SEC drops some greenhouse gas emission disclosure requirements

The Securities and Exchange Commission (SEC) adopted new rules requiring publicly traded companies to disclose hacking incidents, a measure officials said was to help the investing public contend with the mounting cost and frequency of cyber attacks.

On a party-line vote, the five-member SEC also voted to propose requiring broker-dealers to address conflicts of interest in the use of artificial intelligence in trading, a reform partly influenced by the events of the 2021 “meme stock” rally when officials found robo-advisers and brokers used AI and game-like features to drive user behavior.

The new cybersecurity rule will require companies to disclose a cyber breach within four days after determining it is serious enough to be material to investors. The rule would allow delays if the Justice Department deems them necessary to protect national security or police investigations, the SEC said.

Companies will also have to periodically describe their efforts to identify and manage threats in cyberspace. The rule, first proposed in March 2022, forms part of a broader SEC effort to harden the financial system against data theft, systems failure and cyber-intrusions.

Republican commissioners dissented, saying the new rule was unnecessary given already existing requirements, unduly burdensome on companies and could offer hackers a roadmap to their targets’ vulnerabilities and the size of ransom to be demanded.

SEC officials said that in response to public comments they had trimmed certain parts of the proposal, removing a requirement for companies to disclose board members’ expertise in cybersecurity.

The AI proposal issued on Wednesday would require broker-dealers to “eliminate or neutralize” any conflict of interest that occurs if a trading platform’s predictive data analytics puts the broker’s financial interest ahead of that of the firm’s clients.

Republican commissioners again objected, claiming the proposal was unnecessary in light of brokerages’ disclosure requirements and could stifle the use of new technologies.

“The release does seem to suggest that investors when confronted with these technologies just melt into puddles of incompetence and so disclosure doesn’t work for them,” Commissioner Hester Peirce said.

William Birdthistle, the SEC’s director of investment management, said the proposal would not replace any disclosure requirements and that because the technologies are highly scalable, complex and frequently opaque, a special rule was necessary.

In a third vote on Wednesday, the SEC unanimously proposed requiring more internet-based investment advisors to register with the federal agency, narrowing an exemption officials said some had used to avoid this.

If adopted, the rule would require that investment advisers provide investment advice through a functioning, interactive website, among other changes, thereby preventing them from using the two-decade-old exemption inappropriately.