A Proposed SEC Cyber Data Disclosure Advisory Commission
Securities Regulation Law Journal (forthcoming)
68 Pages Posted: 3 May 2022 Last revised: 8 Aug 2022
Date Written: April 29, 2022
Constant cyber threats result in: intellectual property loss; data disruption; ransomware attacks; theft of valuable company intellectual property and sensitive customer information. During March 2022, The Securities and Exchange Commission (SEC) issued a proposed rule addressing Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, which requires: 1. Current reporting about material cybersecurity incidents; 2. Periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks; 3. Management’s role in implementing cybersecurity policies and procedures; 4. Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; 5. Registrants to provide updates about previously reported cybersecurity incidents in their periodic reports; and 6. Cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”).
To paraphrase Lord Kelvin’s famous observation, “you can’t manage what you don’t measure.” How then does the Securities and Exchange Commission (SEC) craft a disclosure regime that captures in a structured data format all those measurable components of costs that allows management and investors to better understand the true costs incurred in cyber defense and breach mediation? This inquiry logically dovetails into the broader question of externality costs associated with cyberattack that, when ignored by industry, are placed as additional burdens upon government and other institutions (such as municipalities, school systems and universities) and customer citizens when their identity data is stolen and fraud committed against them. SEC chair Gary Gensler states, “The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars. Hackers have attacked broker-dealers, governmental agencies, meat processors, and pipelines. These attacks can take many forms from denials-of-service to malware to ransomware.” By now, a broad understanding of the pervasive threat of cyberattack from international criminal organizations, nation states, and even poorly capitalized criminal elements are legion. We will not replicate that discussion here, except to briefly mention several recent attacks to illustrate some of the difficulties and challenges in capturing accurate aggregate cost data.
We commend the SEC for their March 2022 issuance of a proposed rule addressing Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. In the following pages we recommend that the SEC build upon the March 2022 proposed rule by creating a Cyber Data Disclosure Commission to be comprised of relevant stakeholder groups to investigate and promulgate suggestions for a standardized disclosure regime for cyber data. Our task of creating a template that will define and capture those measurable costs that are necessarily required for a meaningful analysis is multifaceted. Just a few of the many complex issues include:
1. What cybersecurity disclosure information is useful to investors?;
2. What investments in cyber defense are period costs?;
3. Which costs should appropriately be capitalized such as secondary data recovery centers (if any) and amortized over what period of time (for reporting purposes)?;
4. How do we measure known losses?
5. Which imputed costs (if any), such as lost sales, are appropriate for inclusion in our measurement?
6. Can agreement be reached about how reputational costs associated with cyber breaches should be measured (imputed)?
Our paper proceeds in seven parts. First, we provide a brief discussion about the difficult challenges associated with capturing cyber threat data. Second, is a brief history of the SEC disclosure regime. Third, we address the economics of cybersecurity. Fourth, we provide a proposed schematic for composition and workflow for an SEC Cyber Data Disclosure Commission. Fifth, we highlight the important implications of this study for the preservation of U.S. national security interests. The American business community is a critical link in the national cyber security equation. Any weak link in the system constitutes an unacceptable vulnerability for all citizens. Sixth, we recommend the Commission consider asking Congress to pass legislation creating a Public Company Cybersecurity Oversight Board for publicly-traded companies similar to the PCAOB. And last, we conclude. We believe this proposal is significant and represents a timely contribution in fostering better cooperation between all interested stakeholders in cyber hygiene and security.
Keywords: administrative law, asymmetries, attack, blockchain, breach, corporate governance, cost-benefit analysis, cyber data disclosure, deep fakes, Division of Corporation Finance, economic analysis, enforcement, externalities, information security, intermediary liability, malware, national security
Suggested Citation: Suggested Citation