'Groundbreaking' or Broken? An Analysis of SEC Cyber-Security Disclosure Guidance, Its Effectiveness, and Implications
51 Pages Posted: 29 Jun 2013 Last revised: 7 Apr 2015
Date Written: May 5, 2013
In October 2011, the Securities and Exchange Commission (SEC) responded to mounting concern about the threat of cyber-attacks on corporate America by issuing staff guidance on when publicly traded companies should disclose information about cybersecurity vulnerabilities and attacks in their annual public filings. This SEC cybersecurity disclosure guidance has escaped serious analysis until now. Using case studies and paying particular attention to the comment letters sent by the SEC to registrants to prompt greater disclosure, this article concludes that the guidance both procedurally overreaches and substantively underachieves. It overreaches because, while it is facially a nonlegislative rule, it has had the practical effect of binding private conduct as if it were a legislative one, violating the Administrative Procedure Act. It underachieves because the disclosures it requires are vague, similar across industries and companies, and bring little information to the marketplace. In particular, it fails to resolve an information asymmetry problem — between corporate managers and stockholders — that the disclosure laws are meant to address. To resolve these defects, the SEC should elevate cybersecurity disclosure guidance and issue it as a legislative rule, after a notice and comment period. Notice and comment rulemaking would contribute to sounder policy by allowing stakeholders to offer their expertise and experience at the front-end of the rulemaking process, improving the rule and its acceptability among the public.
This guidance offers a counterexample to those who say that agencies do not commonly use guidance documents to make important policy decisions outside of the notice and comment process. The experience with this guidance also suggests the limits of agency creativity during periods of political ossification, and it challenges the simple verity that economic security and national security have merged.
Keywords: business law, cyber-security, administrative law, corporate law, securities law, corporate disclosure, Securities and Exchange Commission, SEC, filings, legislative rule, non-legislative rule, guidance, hack, attack, Administrative Procedure Act, network security
Suggested Citation: Suggested Citation