The Council of Institutional Investors submitted comments on Monday supporting the SEC’s proposed cybersecurity regulation. The March proposal would require public companies to report cybersecurity incidents via form 8-K within four days after a security breach has occurred. It would also require registrants to disclose the policies and procedures in place for dealing with cybersecurity issues and the individual board members’ experience with cybersecurity.
“We are pleased to see that the proposed rules address the role of the board in cybersecurity risk management and strategy in a thorough manner, including disclosure of whether any board member has expertise or experience in cybersecurity,” writes Tracy Stewart, director of research at the Council of Institutional Investors, in the council’s public comment.
Stewart notes that while the policy requires board members to disclose more information about themselves, the Council of Institutional Investors does not think it will affect board member participation.
“We believe disclosing the names of board members with cyber expertise is unlikely to deter such members from performing board service,” states Stewart. “Cybersecurity is the responsibility of the full board, [and] board members with this expertise should not expect higher risk from their service and therefore not be deterred.”
A comment signed by representatives from Railpen, Royal London Asset Management, USS Investment Management and NEST states that this regulation would be a game changer for institutional investors, who are heavily invested in public companies that are potential targets for cyber criminals.
“While effective governance of—and reporting on—cybersecurity and cyber breaches is vital, many companies do not disclose enough detail to ensure investors are sufficiently informed on what is a material issue of growing importance,” states the comment.
Legislators also voiced their support for the law, saying that it would help protect investors and increase the number of corporate board members with cybersecurity experience.
“Only 40% of boards have a director with cybersecurity experience,” states a comment signed by the bipartisan group of U.S. Senators Jack Reed, Catherine Cortez Masto, Kevin Cramer, Angus S. King, Jr., Ron Wyden, Mark R. Warner and Susan M. Collins. “The proposal appropriately recognizes that boards must be more vigilant because cybersecurity is among the most significant challenges companies face.”
The comment also states that cybersecurity is a particularly big risk for public companies, which the senators believe makes the law even more important.
However, not all legislators were on board with the proposal. Senator Rob Portman, R-Ohio, voiced his concern that the reported data could unintentionally help cyber criminals.
“I am concerned the detailed public disclosures this rule proposes risks providing cybercriminals with information they could exploit to damage national cybersecurity, impair law enforcement investigations and frustrate government responses to cyberattacks,” writes Portman.
Portman states that the proposed rule did not include an exemption for reporting ongoing law enforcement investigations.
“Premature public disclosure can also hinder a variety of important government functions including deterrence and recovery actions, attribution, broader remediation and sharing of threat and vulnerability information with other potential targets,” states Portman.
The deadline for comments related to this proposal was May 9.