According to Smeeta Ramarathnam, Chief of Staff to SEC Commissioner Luis Aguilar, the SEC is currently engaging in a comprehensive re-work of its investor disclosure rules, including with respect to rules bearing on cybersecurity incident disclosure. The SEC, which is formally tasked with overseeing issues that concern market integrity and disclosure of material information, revealed its plan to overhaul its disclosure rules during an April 23 panel at the 2015 RSA Conference in San Francisco, during which Ramarathnam stated that the SEC was entering “a time of great change” with respect to its regulation of investor disclosures.
The SEC’s announcement is not surprising considering the agency’s increasingly sharp focus on cybersecurity issues in recent years. In 2011, the SEC’s Division of Corporation Finance issued Disclosure Guidance on cybersecurity, which provided the SEC’s views on how disclosures related to cybersecurity procedures, controls, risks and past incidents should be handled under the existing SEC rules. In 2014, the SEC held its first Cybersecurity Roundtable, in which the agency emphasized the importance of board oversight of cybersecurity risk management and asked participants for feedback on how the 2011 Disclosure Guidance could be improved. The new disclosure rules will be the first SEC rulemaking that specifically aims at cybersecurity disclosures and binds SEC-regulated entities. Although there is no formal indication of what the new rules will entail or how firmly they will govern standards for cybersecurity disclosures, Ramarathnam’s comments suggest that the SEC is weighing the materiality aspect of disclosures against the need to protect companies from creating cybersecurity vulnerabilities through disclosure of potentially sensitive information about their processes, controls and incidents.