The US Securities and Exchange Commission (SEC) will now require publicly traded companies to report major cyber incidents to investors within four days of a breach. Wall Street is also proposing new requirements for firms to disclose any AI-related trading conflicts of interest.
The new rules on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies” were voted on by the five-member Commission and announced Wednesday.
“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors,” said SEC Chair Gary Gensler.
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” Gensler said.
The new four-day breach disclosure rule will be required if a cyber incident is considered serious enough to be material to investors, but it can also be waived by the US Attorney General if deemed a substantial risk to national security or public safety.
Information required in the disclosure will include the material aspects of the incident's nature, scope, and timing, as well as its impact or likely material impact on the registrant, the SEC said.
Gensler said the new “rules will benefit investors, companies, and the markets connecting them."
The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.
Ensuring that companies disclose material cybersecurity information will help public investors cope with the rising costs and frequency of attacks, SEC officials say.
Linux Foundation’s Open Source Security Foundation General Manager Omkhar Arasaratnam said his firm is a “strong proponent of having well-documented and practiced incident response plans to handle security breaches.”
“Not only will SEC-regulated companies require this as a matter of compliance, but well-practiced incident response plans will allow companies to react more efficiently and predictably when a cyber incident should occur," Arasaratnam said.
Another rule voted on Wednesday will build upon a March 2022 proposal requiring a company’s board of directors to periodically report on a company’s oversight and expertise in assessing and managing risks from cybersecurity threats.
The SEC says the rule will help to harden the financial system against data theft, systems failure, and cyber-intrusions.
SEC tackles AI
During the session, the SEC also voted for a proposal that would require companies to reveal if AI-trading platforms are being used by stockbroker-dealers to avoid any conflicts of interest, such as using AI to drive user behavior.
The proposal's goal is to "eliminate or neutralize" any type of conflict that might occur if the predictive AI and robo advisors (being used on a trading platform) end up putting the broker’s financial interest ahead of the firm’s clients.
An example of outside factors driving user behavior compares to Elon Musk’s infamous 2021 Dogecoin meme rally – which has the tech billionaire being sued by the SEC for market manipulation and defrauding investors. A meme stock rally occurs when a specific stock gains publicity and goes viral on social media, causing the stock to artificially inflate in perceived value and price, while a naive public clamor to invest in the false worth, causing an eventual crash.
In 2021, over-inflated share prices of meme stock GameStop caused mayhem on Wall Street and chaos among users of the popular Robinhood trading platform. The chaos prompted Robinhood to controversially restrict users from buying shares in GameStop, and nearly a dozen other viral stocks at the time, to protect the company and its customers from volatility.
Republican commissioners objected to all the new rules voted in on Wednesday, citing undue burden on companies, repetition of already existing requirements, and restricting the use of new technologies.
An additional proposal was voted on which could require more internet-based investment advisors to register with the SEC. Once registered, the advisors would be required to provide investment advice through a functioning, interactive website.
The final rules will become effective 30 days following publication of the adopting release in the Federal Register.
Your email address will not be published. Required fields are markedmarked