The federal Securities & Exchange Commission is proposing additional cybersecurity-related disclosure requirements that at least one public company in Arkansas says are burdensome, include a vague term and aren’t something its investors are requesting.
Several other public companies in the state declined or didn’t respond to requests for comments, but comments submitted to the agency echo those first two concerns and also say the effort by the SEC may have the unintended consequence of tipping cybercriminals off about companies’ vulnerabilities.
If implemented, the proposal would require:
- Reporting “material cybersecurity incidents” within four days (a time frame the SEC often uses in its rules and regulations) of becoming aware of them;
- Disclosing incidents in quarterly reports;
- Releasing periodic updates;
- Outlining policies and procedures on, the company board’s oversight of and management’s role concerning cybersecurity;
- Sharing on an annual proxy statement whether any board members have cybersecurity expertise; and more.
Rich Howe, chairman and CEO of marketing technology provider Inuvo Inc. of Little Rock, and Troy Brazile, director of information technology for the small public company, said Inuvo already has robust cybersecurity processes in place both because cyberattacks are on the rise and because it expected the SEC to propose something like this at some point.
If the proposal is implemented, Howe said, his company would have to “spend more money to do things we would normally not do, and a private company would never do.
“A lot of those rules and regulations are just designed to try to find the bad, right? And the bad is a small number. So it’s like [the proposal is] optimizing for the small group, not the big group of companies that do the right thing. And most do. That’s the lion’s share.”
Little Rock attorneys Courtney Crouch with Mitchell Williams firm and Meredith Lowry with Wright Lindsey Jennings said the proposal requiring public companies to disclose a “material cybersecurity incident” within four days of knowing about it could be impractical given that companies may not know if an incident is in fact “material” within that time frame.
Crouch advises public companies on SEC compliance. He and the Inuvo executives said one concern about the SEC proposal is the vagueness of the term “material.”
That ties in with the challenge that four-day window presents.
The proposal will pressure companies to “not drag their feet” on cybersecurity, Crouch said, but “the challenge with [four days] is sometimes it takes some time to really assess how large of an incident, how big of a breach, was this and what data was impacted.”
Lowry said the attack itself could prevent the company from accomplishing all it needs to within the four days.
Crouch said the SEC’s proposal creates uncertainty for public companies. “We don’t know exactly what the final details of the rule will be, whether it will be adopted as proposed or whether it will be different from what the SEC has proposed initially, and what the time frame will be for implementation of it,” he said.
Crouch said his clients are concerned that the additional requirements will increase the administrative burden on them and about not knowing exactly what the SEC expects of them if its proposal, as written, is implemented.
He added that currently there is a “general obligation of public companies to disclose information that’s material to investors” and that companies have more flexibility at the moment to assess the significance and scope of an incident to determine whether it should be disclosed to the market.
Lowry doesn’t work with public companies but does work with small businesses, specializing in intellectual property, privacy and cybersecurity issues. The SEC proposal is part of a larger push by the Biden administration to get a handle on the rising threat of cyberattacks, she said.
Several agencies — the Treasury Department and the Federal Trade Commission among them — are expected to consider similar measures, Lowry said, and whatever they do will directly affect her clients.
But Lowry believes such measures are needed. “More and more, it’s going to be important that people, like customers in general, are aware of what’s going on with their data, and businesses need to be planning how to handle customer data in a proactive and responsible way,” she said. n