No Matter the Cost: The SEC’s Risky Quest for Cyber Transparency

Gary Gensler's Securities and Exchange Commission went to great lengths to regulate public companies for their cybersecurity practices over the last four years. It took unprecedented legal action against cyber professionals and established unique disclosure rules for cyber events. ^[1],^[2] In particular, its cyber disclosure rule presumed that existing law on disclosures of material events - effectively, the filing of an 8-K - was insufficient, and established a special rule that forced public companies to prematurely disclose material cyber incidents, even if those incidents were ongoing and unremediated. Many objected that these actions would backfire, reducing the effectiveness of cyber defense, and evidence has already proven those objections valid. It is time for the SEC to undo the damage and rescind its unsound cyber incident disclosure rule for the safety and security of all U.S. public companies.

Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), companies must report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. These reports are confidential and are used to collect information to triage threats and warn other potential victims.

The SEC's public disclosure mandate, however, significantly shortens the time that victim companies - and any law enforcement or intelligence agencies the company may be working with - have to assess an incident. Under the rule, companies are required to file an 8-K within four days of discovery of any material cyber incident. That effectively means that an affected company has less than 24 hours between when an incident is privately reported and when that information becomes public.

The SEC's disclosure requirement is therefore a gift for bad actors. This unacceptably short timeframe leaves victim companies with virtually no time to resolve the problem before that weakness is made public. If a fix isn't implemented in time, the risk to the victim company - and any company that shares that system or vulnerability - increases exponentially as other illicit actors now have an instruction manual on how to inflict further havoc. The rule not only exacerbates victim companies' exposure to threats, it also warps the priorities of cybersecurity first responders - imagine a new ordinance requiring that firefighters leave a burning building to send a press release about the fire before it is extinguished.

The premise of the SEC's rule was that a reasonable investor would want to be notified immediately of any cyber problem at a company. The flaw in the SEC's rule is that no reasonable investor would want to be notified of a cyber problem if that meant notifying the perpetrators and other malicious actors. A reasonable Coca-Cola investor would doubtless be interested in learning the formula for Coke - but not if that meant everyone learning the formula.

Unsurprisingly, this odd view of investor preference failed to garner unanimous support within the SEC. Commissioners Hester Peirce and Mark Uyeda both dissented, with Commissioner Uyeda stating that the disclosure requirements "swing a hammer at the current regime and create new disclosure obligations for cybersecurity matters that do not exist for any other topic."^[3] Commissioner Peirce articulated a similar objection saying the rule seems "designed to better meet the needs of would-be hackers rather than investors' need for financial information."^[4]

Unfortunately, Commissioner Peirce's words have proven prescient. In November 2023, ransomware group AlphV weaponized the SEC's rule by reporting its own victim to the Commission as a ransom payment extortion tactic.^[5] Ransomware is a pervasive threat affecting every sector of the economy - companies large and small. This incident demonstrates that the SEC's rule is not only misguided, but arms cybercriminals with an additional means to inflict financial harm on victim companies.

Financial institutions fully support transparency and information sharing. In fact, the industry was one of the leading proponents for CIRCIA. But effective public-private sector coordination and cybersecurity defense are threatened, not strengthened, by the SEC's actions. As noted by over 20 former senior government officials, "public disclosure is not a substitute for, and must not come at the expense of, voluntary confidential sharing of more detailed cyber threat information."^[6] Under the prior administration, the SEC stood alone in its demand that transparency for investors come at the cost of security.

These security costs are not intangible or hypothetical - especially with escalating geopolitical threats. Our cyber adversaries are sophisticated, well-resourced and can leverage our transparency as a weapon to perpetrate attacks. The SEC should immediately rescind its requirement to publicly disclose ongoing cyber incidents rather than divert the attention of cyber teams during a critical point in time.

As the new administration begins, the SEC has the opportunity to reevaluate whether its transparency ends justify its security-compromising means. It is in our collective interest that the Commission make the most of that opportunity.

[1] Complaint at 1, Sec. and Exchange Commission v. SolarWinds Corp. and Timothy G. Brown (No. 23-cv-9518) (S.D.N.Y. 2023).

[2] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51896 (Aug. 4, 2023).

[3] Commissioner Mark T. Uyeda, Statement on the Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, U.S. Sec. & Exchange Comm. (Jul. 26, 2023), https://www.sec.gov/newsroom/speeches-statements/uyeda-statement-cybersecurity-072623.

[4] Commissioner Hester M. Peirce, Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, U.S. Sec. & Exchange Comm. (Jul. 26, 2023), https://www.sec.gov/newsroom/speeches-statements/peirce-statement-cybersecurity-072623.

[5] AlphV files an SEC complaint against MeridianLink for not disclosing a breach to the SEC, DataBreaches.Net (Nov. 15, 2023), https://databreaches.net/2023/11/15/alphv-files-an-sec-complaint-against-meridianlink-for-not-disclosing-a-breach-to-the-sec/.

[6] Brief of Amici Curiae Former Government Officials at 17, Sec. and Exchange Commission v. SolarWinds Corp. and Timothy G. Brown (No. 23-cv-9518) (S.D.N.Y. 2023).