The most recent edition of the SEC’s Reg Flex agenda includes proposing rule amendments intended to “enhance issuer disclosures regarding cybersecurity risk governance, and in his September 2021 Senate Banking Committee testimony, SEC Chair Gary Gensler stated that he’d asked the Staff to “develop proposals for the Commission’s consideration on these potential disclosures.” So, it’s pretty clear that there’s cyber disclosure rulemaking on the horizon, but what form will the rule proposal take?
Last Friday, Commissioner Elad Roisman delivered a speech that suggests the debate may again be between those commissioners who favor principles-based rules and those who prefer a more prescriptive, line item-based approach. Not surprisingly, this excerpt from his speech indicates that Roisman’s squarely in the principles-based camp:
As some of you may have noticed, the Commission’s regulatory agenda includes possible regulatory action with regard to issuers, which could build on the Commission’s 2018 guidance. I have not seen any draft rule, so I cannot speak as to its nature or merits. But I will let you know some of the things that I would be looking for as I consider any additional rules in this area.
First, we need to define any new legal obligations clearly. Second, we need to make sure that these obligations do not create inconsistencies with requirements established by our sister government agencies. Third, we should recognize that some registrants have greater resources than others, and we should not try to set the resource requirements for an entity. And finally, because issuers’ businesses vary, the cybersecurity-related risks they face also will vary, and therefore a principles-based rule would likely work best.
My guess is that he’ll get buy-in from the other commissioners on the first three points, but given the reaction of the Democratic commissioners to prior principles-based proposals, I’m not very optimistic that Roisman will carry the day on his desire for a principles-based approach.
– John Jenkins