The Securities Exchange Commission’s (SEC) proposed cybersecurity rules have hit a roadblock, with the finalization delayed until October 2023 at the earliest.
Initially, the SEC aimed to finalize their two new sets of rules by April 2023. The delay’s cause remains a mystery, but ongoing debates about the new rules could be involved.
One set focuses on public companies and regulated entities, while the other concerns investment advisers, registered investment companies, and business development firms.
These proposed regulations seek to increase transparency and accountability regarding public companies’ handling of cybersecurity incidents.
“Companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” says SEC Chair Gary Gensler.
Key elements of the proposed rules for public companies include a four-day disclosure timeframe for significant cybersecurity incidents, increased information on Board cybersecurity expertise, enhanced disclosures on risk management, and aggregation requirements for individually non-material incidents.
Gensler acknowledges that many companies already make such disclosures but advocates for mandatory consistency.
As well as the public company rules, the SEC has also suggested regulations for cybersecurity risk management in the investment industry.
These rules would make companies adoption of written cybersecurity policies and procedures, the reporting of notable cybersecurity incidents, and the maintenance of proper records mandatory.
However, this raises questions about potential interference with law enforcement investigations due to the reporting timeframe. The current rules only provide a 4-day turnaround time for reports, which may not be enough time to conduct comprehensive investigations.
The SEC must consider these worries as they finish making the new rules and aim for a balance that increases security without disrupting ongoing investigations.
In the end, though, by implementing new rules and stepping up our public and private cybersecurity, the SEC is working towards pushing everyone towards taking their privacy and security more seriously.