A top U.S. Securities and Exchange Commission (SEC) official on Wednesday defended the agency’s new cybersecurity disclosure rule in the face of withering criticism from industry groups and Republicans in Congress.
While Erik Gerding, the director of the division of corporation finance at the SEC, was not asked directly about a new Congressional effort to overturn the rule, he did tell an interviewer at the Aspen Cyber Summit that the SEC pushed forward the rule, set to go into effect next month, in part because it was concerned about the underreporting of cybersecurity incidents by public companies.
On Tuesday, Capitol Hill Republicans announced they plan to use a rare — and rarely successful — congressional procedure known as the Congressional Review Act to try and overturn the SEC rule, with Rep. Andrew Garbarino (R-NY) calling it a “complete overreach.”
The rule requires public companies to disclose cybersecurity incidents within four business days of determining they are material, with an exception for events that the Attorney General determines could pose a national security risk if made public.
Industry groups have argued that it is unclear what constitutes a material event, but Gerding suggested it is a basic judgment call based on “what a reasonable investor would consider to be significant.”
He said the SEC definition of materiality in the rule “builds right off of a Supreme Court decision.”
Investors deserve prompt information on cyber incidents, Gerding said, calling them "very similar to other kinds of risks companies face" such as equipment burning down or interest rate movements.
Gerding added that the SEC is not “trying to prescribe what is or is not good risk management.” Instead, he said, the agency wants to let investors make the decision for themselves, armed with the right information.
Much of the criticism around the new rule centers on the idea that disclosure will help cyber criminals, but Gerding waved that off.
“What we’re not looking for is technological details that give bad actors … a road map to pierce” a given company’s cyber defenses, he said.
The SEC is proposing the rule, he said, to help “investors understand whether companies are adequately winning [the] arms race” against cyber criminals.
Get more insights with the
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.