The U.S. Securities and Exchange Commission has proposed a rule that would impose new cybersecurity disclosure requirements on manufacturers—and the NAM is pushing to make those requirements work better.
The background: The SEC issued guidance in 2018 telling public companies what information about their cybersecurity protections they should provide to investors, but the SEC now feels that more disclosure is warranted.
The requirements: The SEC has proposed a rule that would require two different kinds of disclosures from public companies:
- Cybersecurity incidents: If a manufacturer experiences a material cybersecurity incident like a breach or a hack, the company would have four days to make a public disclosure describing the nature of the incident, what systems were implicated and how the company is responding.
- Governance and risk management: The proposed rule would require manufacturers to disclose the processes they use to identify and guard against cybersecurity risks, with information on their procedures and personnel.
The problem: SEC disclosures are public—and by requiring detailed disclosures about cybersecurity processes and incidents, the proposed rule could force manufacturers to provide a roadmap to potential hackers and cyber attackers.
- At the same time, the inflexible four-day window for reporting cybersecurity incidents means that manufacturers would be required to disclose information about attacks even if an incident is ongoing or the subject of a law enforcement investigation.
- This could potentially interfere with efforts to stop the attack, risking the exposure of sensitive information or implicating national security.
Our move: The NAM has urged the SEC to make commonsense adjustments to the rule in order to protect manufacturers from attacks and give companies the flexibility to respond to cybersecurity incidents appropriately.
- Specifically, the NAM has called on the SEC to adopt a more principles-based approach to the proposed risk management disclosures, allow for greater flexibility with respect to incident reporting and coordinate with U.S. law enforcement and national security experts when finalizing the rule.
Our take: “A final rule that requires timely and accurate reports without instituting one-size-fits-all mandates will ensure that shareholders have access to useful information without exposing businesses, investors, and all Americans to increased risks,” said NAM Managing Vice President of Tax and Domestic Economic Policy Chris Netram. “The NAM strongly supports a flexible approach to cybersecurity reporting, and manufacturers respectfully encourage the SEC to promulgate a final rule that allows public companies to both inform and protect their shareholders.”