The rising incidence of cyberattacks is costing the U.S. economy billions every year, while threatening the functioning of critical infrastructure like pipelines and water treatment facilities.
President Joe Biden has made it a priority to improve U.S. government defenses against cyberattacks, and Congress is considering legislation that would improve public-private collaboration on the issue.
Now, Securities and Exchange Commission Chairman Gary Gensler wants to leverage his agency’s regulatory powers to compel companies to disclose risks to their businesses from cyber attacks and to systematically divulge incidents of cyber attacks to investors, according to a speech delivered Monday before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute.
“Cybersecurity is an emerging risk with which public issuers increasingly must contend,” Gensler said. “A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.”
Gensler noted that public companies are already required to divulge material information, including about cyber attacks, to their investors in a timely fashion. Last June, the SEC settled charges against First American Financial Corp. FAF, -2.35% for inadequate control procedures for dealing with a revealed cyber vulnerability. First American settled without admitting or denying the SEC charges.
The SEC chairman also suggested that the agency, perhaps with additional authority granted by Congress, could look to regulate public companies’ third-party service providers. These companies include index providers, data analysis concerns, and investor reporting systems. The SEC and Department of Justice recently investigated a case in which a criminal group in Russia hacked into the computer networks of vendors used by public companies to submit filings to the SEC.
Gensler suggested the SEC could promulgate rules making public companies accountable for their vendors’ cybersecurity measures or to require public companies to identify which third-party providers pose risks. Many of these vendors are not required by law to register with the SEC, but Gensler hinted that Congress may want to change that.
“It’s worth noting that banking agencies regulate and supervise certain
banks’ third-party service providers directly through the Bank Service Company Act,” Gensler said. “It might be worthwhile to consider similar authorities for market regulators.”