The US Securities and Exchange Commission (SEC) brought a new set of management rules against the risks of cybersecurity for corporations that would want them to be clear with customer disclosures. The new management rules would be acted upon as fixes to various cybersecurity disclosures and would mainly go after business development companies, investment advisers, and investment funds.
Cybersecurity Hacks Are No Longer In Hiding
The introduction of strict regulations regarding Cybersecurity disclosures does not come as something new from the SEC. Robert J. Jackson Jr., the former SEC Commissioner 2018, said that current disclosure requirements “made a mistake on the side of non-disclosure.” and frequently left investors clueless when companies were facing cybersecurity attacks.
Presently, company management is needed to keep boards up to date about security issues. And there is no obligation to share these issues with investors or other customers. Although a combined report of 2021 revealed that in 2020, a survey showed that 17 percent of Fortune 100 companies reported incidents of cybersecurity fraud to the board members yearly or every four months.
The SEC is anxious to bring a change because they used a more significant part of 2022 to introduce various proposals that, if successful, would need a cyber-attack report from public companies. This case is synonymous with that of the Registered Investment Companies, Cybersecurity Risk Management for Investment advisers, and Business Development Companies proposal published on the 9th of February.
According to the document, the SEC proposes new rules under the Investment Company Act of 1940 and the Investment Advisors Act of 1940 to empower funds and advisers to act on new cybersecurity policies. According to the document, these procedures address cybersecurity risks by requiring enterprises to notify the SEC of any significant cybersecurity event affecting the adviser, its fund, or private fund clients.
“Requiring a report on cybersecurity incidents from advisers and funds, in our opinion, would improve the efficiency and potency of our efforts to protect investors, financial markets, and other market participants in the event of a cybersecurity incident,” the SEC stated in the proposal. In a news conference, Jamil Farshchi, Equifax’s Chief Security Officer for Information, stated that the proposed regulations would ensure transparency to cooperative leadership and compel unprecedented cybersecurity accountability.
Rules Build A Stronger SEC
Several people believe that the recent move of the SEC to become more actively involved in strengthening the rules involving cybersecurity is a product of the Solarwinds hack. The hack is a popular one and is one of the worst cyberattack incidents the U.S has ever encountered.
During that time, the U.S saw various sectors of its government under siege by a team of Russia-supported hackers. The cyber hackers infected updates from a federal contractor in the United States, using that to enter into various companies and agencies of government. As a result of the hack, the SEC wrote letters to the companies it felt were liable for attacks, requesting a report on any hack they encountered and the damages incurred.
The commission later got an insufficient number of disclosures; it created the Amnesty Program that offers leniency to companies that later agreed with the request to send in reports of attacks, even though they earlier didn’t reveal the incident to the investors. The program has received praise from the National Association of Corporate Directors, the Cyber Threat Alliance, and SecurityScoreCard. The SEC’s position on cyber risk is evolving, as seen by this initiative. The Chief business and legal officer of SecurityScoreCard, Sachin Bansal, said it is a “watershed” moment for the SEC.
Despite all this, the new proposal of the SEC leaves many cases unhandled. Companies will be required by the new rules to reveal “material” or “major” cyber attacks if implemented. The SEC values any “Material” information as any info with a “substantial possibility that a wise shareholder would see as important.”
Many people see the SEC definitions as too controversial to produce valuable transparency for the market. The controversy also means that the rules are liable to interpretations by the SEC per case, allowing companies to appeal to judgments and put in precedents that render the proposal useless.
Although, there is still a chance to make amends. The SEC isn’t prepared to vote on the proposal anytime soon, enabling industry participants to discuss their concerns and solutions with the commission. It is unclear how this issue affects the cryptocurrency industry with increased investment funds and various digital assets and derivatives in their wallets. However, the proposed rules could lead to many disclosures arising from the crypto community.