The U.S. Securities and Exchange Commission has proposed a rule that would impose new cybersecurity disclosure requirements on manufacturers—and the NAM is pushing to make those requirements work better.
The background: The SEC issued guidance in 2018 telling public companies what information about their cybersecurity protections they should provide to investors, but the SEC now feels that more disclosure is warranted.
The requirements: The SEC has proposed a rule that would require two different kinds of disclosures from public companies:
- Cybersecurity incidents: If a manufacturer experiences a material cybersecurity incident like a breach or a hack, the company would have four days to make a public disclosure describing the nature of the incident, what systems were implicated and how the company is responding.
- Governance and risk management: The proposed rule would require manufacturers to disclose the processes they use to identify and guard against cybersecurity risks, with information on their procedures and personnel.
The problem: SEC disclosures are public—and by requiring detailed disclosures about cybersecurity processes and incidents, the proposed rule could force manufacturers to provide a roadmap to potential hackers and cyber attackers.
Our move: The NAM has urged the SEC to make commonsense adjustments to the rule in order to protect manufacturers from attacks and give companies the flexibility to respond to cybersecurity incidents appropriately.
Our take: “A final rule that requires timely and accurate reports without instituting one-size-fits-all mandates will ensure that shareholders have access to useful information without exposing businesses, investors, and all Americans to increased risks,” said NAM Managing Vice President of Tax and Domestic Economic Policy Chris Netram.
Read the full story here.