Secure Resilient Future Foundation joins Consumer Reports, Consumer Federation of America, and the Electronic Privacy Information Center (EPIC) in urging the Securities and Exchange Commission (SEC) to uphold its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule.
Since 2023, this rule has required companies to disclose all material cybersecurity issues, allowing for greater transparency regarding a company’s security. The sharing of information on material cyber incidents enables both investors and consumers to make informed decisions while also facilitating transparency and the tracking of cyberattacks.
Despite this, the American Bankers Association has led a petition in recent months encouraging the SEC to repeal the rule. The ABA claims that the rule forces companies to disclose cybersecurity incidents before being able to take the time to investigate them fully, adding higher costs and confusion to security monitoring.
However, as outlined in our letter to the SEC, these fears are not supported by facts. As currently implemented, reports to the SEC need to be filed only for material cyber incidents, and companies can wait to file until the material nature of the attack has been confirmed. Additionally, the SEC clarified that companies should submit reports only if the incident impacts investors, leading to more streamlined reporting. A company can also apply to withhold releasing a cybersecurity report if the information would pose national security or public safety risks.
Disclosing cyber attacks at an early stage provides investors with vital information regarding the health and operations of firms that they have- or are considering investing in. It also provides regulators, law enforcement and the public with vital insights into active campaigns by both cybercriminal and nation state actors, the impacts of which are difficult to anticipate. Disclosure does not interfere with or complicate cyber incident response. Recent history has shown that firms experiencing material cyber incidents have disclosed them without suffering the consequences warned of by the ABA and other groups.
Like the other signatories, SRFF supports the rights of investors and the public to know about the cybersecurity incidents that have a material impact on the companies they invest in- and rely on. There is no security in obscurity: the public has a right to monitor cyber attacks, while companies have an obligation to be transparent about serious cybersecurity incidents.
For more information, you can read the letter in full on: https://advocacy.consumerreports.org/research/consumer-reports-urges-sec-to-retain-cyber-incident-reporting-rules/
About SRFF
Secure Resilient Future Foundation is an organization focused on protecting and promoting transparent, secure, and sustainable technology in our digital world. To keep up to date with SRFF and our current campaigns, check out our other blog posts, and please join our email list at https://secure-resilient.org/join-the-fight/. SRFF is also a non-profit organization of cybersecurity and technology experts that fights for digital progress with the help of donations. You can donate to SRFF and further support our mission at https://givebutter.com/SRFFlaunch