The Securities and Exchange Commission (SEC) introduced a rule called the Proposed Rule for Public Companies (PRPC) in March 2022, focused on cybersecurity disclosure, governance, and risk management for public companies. Under this rule, companies would be required to report any “material” cybersecurity incidents within four days and ensure that their boards of directors have adequate cybersecurity expertise.
However, the proposed rule has faced significant pushback due to its questionable practicality and vague definitions. One major concern is the tight four-day disclosure window, which puts immense pressure on chief information security officers (CISOs) to report incidents before having all the necessary details. It can take weeks or even months to fully understand and address cybersecurity incidents, and premature disclosure could lead to incomplete or inaccurate information being shared with the public. Additionally, CISOs may be forced to disclose vulnerabilities that might turn out to be less significant with more time and resources allocated for remediation. This could potentially impact a company’s short-term stock prices.
Comparing the PRPC with the European Union’s General Data Protection Regulation (GDPR), another cybersecurity regulation, further highlights the flaws in the proposed rule. Under the GDPR, companies are required to report incidents of non-compliance within 72 hours. While this timeline is often insufficient to fully grasp the impact of an incident, companies at least have a clear understanding of when to report if personal information is compromised. In contrast, the PRPC’s disclosure requirements are less defined and rely on internal qualification of whether an incident is “material.” The SEC defines materiality as anything that a “reasonable shareholder would consider important,” leaving room for interpretation and lacking clarity.
Another weakness in the proposed rule is the requirement to disclose aggregated incidents that were not material individually but become significant when combined. This raises questions about how organizations should determine when to disclose such incidents and how the aggregation clause complicates the process. Additionally, the rule mandates the disclosure of policy changes resulting from previous incidents, which may not always be necessary or relevant. Policies are meant to be statements of intent rather than low-level configuration guides, and updating higher-level documents due to incidents may be unnecessary in many cases.
Furthermore, the proposal suggests that quarterly earnings reports would be the appropriate platform for these disclosures. This raises concerns about who should provide the updates, as the CFO or CEO, who typically deliver the earnings reports, may not possess sufficient knowledge about cybersecurity incidents and policies. Should the CISO join the calls, they may also face questions from financial analysts, making the process impractical and potentially misleading.
The initial version of the PRPC required disclosures about board oversight of cybersecurity risk management policies and the individual board members’ cyber expertise. However, this requirement was later removed due to scrutiny. Nonetheless, the rule still emphasizes the need for companies to describe the board’s process for overseeing cybersecurity risks and the management’s role in handling those risks. This highlights the importance of improving communication and awareness between the board and security executives. A survey of 600 board members revealed that only a fraction of them regularly interact with their CISOs, indicating a significant communication gap that needs to be bridged.
As with any new regulation, there are uncertainties and questions surrounding the PRPC. The industry will have to wait and see how it evolves and whether companies can effectively meet the proposed requirements. In the meantime, it is essential for organizations and regulators to address the concerns raised by industry professionals and work towards establishing clearer guidelines and practical timelines for cybersecurity incident disclosure and risk management.