In 2011, the SEC issued cybersecurity guidelines indicating the types of cyber risks that publicly-traded companies must
Question:
In 2011, the SEC issued cybersecurity guidelines indicating the types of cyber risks that publicly-traded companies must disclose in their annual reports and quarterly reports to shareholders. In the guidelines, the SEC explains:
While registrants should provide disclosure tailored to their particular circumstances and avoid generic "boilerplate" disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant's cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.
The SEC reinforced this approach when it clarified the guidance in 2018. The statement indicates two competing values in the disclosure-centered regulatory framework adopted by the SEC as it attempts to implement the Securities Act of 1933 and the Securities Exchange Act of 1934. On the one hand, the SEC encourages publicly-traded companies to reveal material information to shareholders, including information about cyber risks.On the other hand, it acknowledges that publicly-traded companies may want to avoid the disclosure of certain confidential defensive cyber policies and proprietary technology. Do you believe that the SEC policy correctly balances these competing interests? Would you place greater emphasis on transparency or protecting the proprietary information of the publicly-traded company? Is one approach more consistent with the SEC's mission to protect the public interests and prevent boards of directors and executives of publicly-traded companies from concealing information that a reasonable investor would consider important when making an investment decision? Are there legitimate reasons why publicly-traded companies might resist revealing information regarding 1) successful cyberattacks by hackers that lead to breaches of their network infrastructure; 2) cyber risks that the company has identified; and 3) concerns regarding cyber risks that they have not yet developed policies to address?