Wed. Dec 1st, 2021

Post Equifax, those who hoped that the US Securities and Exchange Commission would impose tougher rules (and consequences for breaking them) around reporting breaches will be disappointed.

SEC new cybersecurity
SEC new cybersecurity

The Securities and Exchange Commission (SEC) issued new guidance in February, urging senior executives and board members to pay closer attention to cybersecurity.  However, the recommendations, while more stringent than what was in place before, don’t go far enough, critics say, and, more importantly, lack teeth.

No consequences for failure

In a set of recommendations about disclosures of cybersecurity risks back in 2011, the SEC said that companies need to “disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”

The agency clarified that this did not require businesses to talk about specific technical details of those risks. As a result, the disclosures that companies did make were not particularly useful, according to a 2014 study by PricewaterhouseCoopers and the Investor Responsibility Research Center Institute. Instead, the disclosures “rarely provide differentiated or actionable information for investors.”

In addition, the earlier guidance suggested that the SEC would not enforce any of its cybersecurity recommendations, says Ernest Badway, co-chair of the securities industry practice at Fox Rothschild LLP. Instead, the agency would work with them “to make sure they have protections in place.”

In the future, the SEC would consider enforcement actions if the companies ignored the recommendations, he says, but there was no sign of that enforcement in the new guidance. In fact, Badway says, it doesn’t offer much more than the original 2011 recommendations did.

“It’s quite well and good to point out all these issues,” Badway says. “However, what they’re not doing is saying what happens when a company failed to meet these regulations. There’s no bite. All it really says is that everyone knows it’s important to have policies, procedures, and a plan in place for when something goes wrong, and that people shouldn’t be trading on information if they know it’s been a hack.”

By comparison, other cybersecurity regulations have significant enforcement power behind them. Breach notification laws, for example, are in place in 48 states, Washington, DC, and Puerto Rico, according to the law firm Perkins Coie.

A year ago, New York began requiring comprehensive cybersecurity assessments from financial services companies in the state. This May, the European Union’s General Data Protection Regulation (GDPR) goes into effect with fines of up to 20 million euros or 4 percent of annual global revenues, whichever is higher.

Read More Here

Article Credit: CSO


Leave a Reply

Your email address will not be published. Required fields are marked *