No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Will Proposed SEC Cybersecurity Disclosure Rules Enhance Defenses or Hamper Responses? There’s Still Time to Assess and Comment.

by Jordan Rae Kelly
April 6, 2022
in Cybersecurity, Opinion
SEC building

Proposed rules relating to incident reporting aim to improve cybersecurity in public companies, but FTI Consulting’s Jordan Rae Kelly suggests the SEC’s well-intentioned requirements could have unintended consequences.

The SEC recently voted in favor of a proposal that would require publicly traded companies to report cybersecurity incidents and data breaches within four days, as well as disclose updates regarding previous incidents.

The proposed rules are subject to a public comment period through May 9, 2022.

The Best of Intentions …

In a speech presented at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chairman Gary Gensler stated that the agency is working to “improve the overall cybersecurity posture and resiliency of the financial sector.”

This proposal follows a global trend of increased attention and corresponding regulation regarding cybersecurity, and the expectation that organizations are doing all they can to protect their own interests and the interests of their customers and clients (e.g., personal information).

The proposed SEC regulation aside, organizations should already be determining and analyzing how to properly invest in cybersecurity. However, this may serve as a wake-up call for those who have not considered the genuine cybersecurity risk they face. Certainly, the SEC believes that increased regulation that makes organizations more forthcoming about cybersecurity risk will help drive positive behavior and improve cybersecurity readiness.

… Often Breed Unintended Consequences

Cybersecurity risks facing all organizations, including those in the financial services industry, are significant and carry the potential for costly damages, both financially and reputationally. Carefully considered regulation that helps improve cybersecurity programs and processes and that mitigates risk is a step in the right direction.

However, in its current form, the proposed rules may have the opposite effect on organizations. The proposal could, for example:

  • Divert resources and attention mid-crisis: Concentrating on compliance and regulatory requirements diverts valuable resources away from adequately addressing an incident in a timely manner. When dealing with a cybersecurity incident, which might be the largest crisis an organization faces all year, the focus should be on containment, recovery and remediation. This added pressure to comply with stringent regulation could create impediments and lead to additional damages that could otherwise be avoided.
  • Publicly expose network weaknesses: Further, the proposed regulation creates concerns around data security. The information requested during mandatory disclosure is often sensitive in nature and would be damaging if leaked. Specifics around what protections are in place — and more importantly, what areas are lacking proper defenses — would be highly valuable to malicious cyber actors. If exposed, this information could serve as a playbook for how to gain entry to systems and networks.
  • Convey more power to bad actors: Cybersecurity teams at many organizations are short-handed and overworked pre-incident. Shifting their focus to disclosures and reporting for compliance purposes gives the upper hand back to the cyber actors, as they are now dealing with a distracted team.

The Key to Cybersecurity Is Investor Engagement

Whether the SEC’s proposal achieves the intended outcome of improving the cybersecurity practices of publicly traded companies, or at least effectively changes the behavior of impacted organizations, is yet to be seen. What may end up being a more significant driver of change is the role of investors and their ability to access disclosures.

In Gensler’s speech, he noted that “if customer data is stolen, if a company paid ransomware, that may be material to investors.” In other words, a decision to invest may come down to how secure the organization is and how much risk they possess.

This allows cybersecurity to be a market differentiator and value-add, as groups will potentially look to invest elsewhere if it is known that an organization has not adequately addressed cybersecurity risk. This is ultimately where the SEC’s proposed regulation could have the largest impact. Organizations are more likely to focus on ensuring they are meeting cybersecurity requirements to remain attractive to investors versus working to achieve compliance to avoid enforcement penalties.

When explained to organizations in this light — implementing proper cybersecurity programs will better protect critical assets and give investors greater confidence — it hopefully resonates and positively changes behavior regarding cybersecurity. Conversely, if SEC messaging focuses on reporting and disclosure requirements, which it can be argued further penalizes an organization already in crisis mode by giving them additional work, the regulation will likely not have its desired effect.

The views expressed herein are those of the author and not necessarily the views of FTI Consulting Inc., its management, its subsidiaries, its affiliates or its other professionals.


Tags: Financial ReportingSEC
Previous Post

The South and the Slap — Creating Space and Time for Healing

Next Post

Shyft Launches Veriscope to Help Crypto Exchanges Comply With Travel Rule

Jordan Rae Kelly

Jordan Rae Kelly

Jordan Rae Kelly is Senior Managing Director and Head of Cybersecurity for the Americas at FTI Consulting. She has more than 15 years of experience coordinating incident response and managing cyber policy planning including service as the Director for Cyber Incident Response on the National Security Council at the White House. She Kelly also served as Chief of Staff and Chief of Strategic Initiatives in the Federal Bureau of Investigation’s (FBI) Cyber Division. In 2020, Kelly was named to Consulting magazine’s inaugural Women Leaders in Technology list. She holds a bachelor’s degree from Wake Forest University and a Juris Doctorate from the University of Tennessee College of Law.

Related Posts

esg sec clawback confusion

Unpacking the SEC’s Executive Compensation Clawback Rule

by John Peiserich
January 4, 2023

The SEC has finalized its long-awaited clawback policy mandated by the Dodd-Frank Act, issuing final rules that are scheduled to...

cci top 10 stories collage

Top 10 Compliance Stories of 2022

by Jennifer L. Gaskin
December 7, 2022

The more things change, the more they stay the same. This time last year, we summarized the top 10 ESG...

Fox Oracle FCPA Enforcement Action wp_f

Oracle: FCPA Recidivist

by Corporate Compliance Insights
October 20, 2022

Breaking down the FCPA allegations against technology company Oracle Corp. Unpacking Oracle FCPA Enforcement Action Oracle: FCPA Recidivist What’s in...

sec pay vs perf

Are You Ready for Stepped-Up Pay Vs. Performance Requirements in 2023 Proxy Season?

by Rosebud Nau and Alexandria Pencsak
October 10, 2022

Most public companies will be required to disclose details about executive compensation starting with next year’s proxy statements, under rules...

Next Post
shyft veriscope launch

Shyft Launches Veriscope to Help Crypto Exchanges Comply With Travel Rule

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT