SEC Division of Corporation Finance Director Gives Speech on Cybersecurity Disclosure

Mr. Gerding addressed the SEC’s rationale behind releasing the final rule, including “investors’ need for improved disclosure” about cybersecurity in light of the greater cybersecurity risks in an increasingly technology-reliant world. He also stressed that, although investors “need consistent and comparable disclosures” about cybersecurity, it would be a “misconception” to think that the Commission is “seeking to prescribe particular cybersecurity defenses, practices, technologies, risk management, governance, or strategy.” Rather, “[p]ublic companies have the flexibility to decide how to address cybersecurity risks and threats based on their own particular facts and circumstances.”

Mr. Gerding indicated that a better understanding of this provision of the final rule can be attained by asking three questions: “what must be disclosed, when must that information be disclosed, and why did the Commission use a materiality standard.” He emphasized the SEC’s decision to use materiality1 as the threshold for when a disclosure is required and clarified that this was a departure from the proposal, “which would have required additional details that were not explicitly limited by materiality.” While acknowledging that some may “prefer a more bright line rule,” he explained that “[m]ateriality is a touchstone of securities laws [that] connects disclosures back to the needs of investors.”

This provision of the final rule, which resulted from feedback on the proposal, allows registrants to request a delay from providing a cybersecurity incident disclosure if the U.S. Attorney General communicates in writing that such disclosure “would pose a substantial risk to national security or public safety” (also see Deloitte’s earlier news item for more information about the FBI’s guidance on this topic). Mr. Gerding further pointed to the Division’s recently issued compliance and disclosure interpretation (C&DI) clarifying that just because a registrant consults with the DOJ regarding a delay does not automatically signify that the incident in question is material. Therefore, this should “not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents.” Rather, Mr. Gerding “would encourage public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur” since such “timely engagement is in the interest of investors and the public.”

Mr. Gerding noted that the SEC “streamlined” these provisions after reading comments on the proposal and indicated that its intent in doing so was to “avoid being overly prescriptive or empowering threat actors to the detriment of companies and their investors.” Specifically, he gave two examples of enhancements the SEC made in in the final rule: (1) requiring “disclosures regarding management’s role in assessing and managing material risks from cybersecurity threats” rather than “whether any members of their board have cybersecurity expertise” and (2) focusing “more broadly on the company’s cybersecurity processes” as opposed to the proposal’s requirement to disclose “cybersecurity policies and procedures as well as certain specific details regarding those policies and procedures.”

Given the final rule’s imminent compliance date, Mr. Gerding addressed some of the actions public companies should consider taking, such as consulting with “chief information security officers, a company’s other cybersecurity experts and technologists, the company’s disclosure committee, and those responsible for advising them on securities law compliance.” He also stressed the Division’s own “open door policy” with respect to assisting companies with their interpretive questions regarding the final rule’s provisions. Mr. Gerding closed his remarks by reassuring companies that the Division does not “seek to make ‘gotcha’ comments or penalize foot faults.” Rather, he underscores that the SEC’s overarching goal with this rule, as with other rules, is to “elicit tailored disclosures that provide consistent, comparable, and decision-useful information to investors.”