Balancing Robust Cybersecurity Measures with the Practical Concerns of Smaller Entities: An Examination of the Proposed SEC Regulations
The Securities and Exchange Commission (SEC) has recently put forth preliminary regulations aimed at bolstering the cybersecurity protocols of public companies. The suggested measures, still undergoing refinement, mandate the following:
1. Regular execution of penetration testing and vulnerability assessments
2. Establishment of a risk management program for the identification and mitigation of cybersecurity threats
3. Reporting substantial cybersecurity breaches to the SEC
4. Formulation of a board-approved cybersecurity policy
Public response to these proposed regulations has been diverse. Some applaud the SEC’s proactive approach in safeguarding investors from potential cyberattacks. However, others have voiced concerns that these regulations might be overly cumbersome, and consequently, could disproportionately impact smaller corporations.
Concerns for Smaller Corporations
The most prominent apprehension related to these proposed regulations is their potential impact on smaller entities. The resource limitations of smaller corporations might hinder their ability to comply with robust cybersecurity measures equivalent to those undertaken by larger entities. For instance, it might not be economically viable for smaller corporations to employ cybersecurity specialists or procure advanced security software.
The SEC has recognized these potential challenges faced by smaller entities and suggested various methods to alleviate the impact. One proposal exempts smaller corporations from the mandate for penetration testing. Moreover, they may be provided with a more extended time-frame for compliance with these regulations.
The mandate for penetration testing, which involves third-party attacks on a company’s systems to identify security vulnerabilities, is among the most debated aspects of the proposed regulations. Some corporations argue that penetration testing is both costly and time-consuming, with its benefits not justifying the investment.
However, the SEC counters this argument by underscoring the crucial role of penetration testing in identifying and mitigating cybersecurity threats. It also promises to provide guidance on conducting cost-effective penetration testing.
Reporting Cybersecurity Breaches
The proposed mandate to report significant cybersecurity incidents to the SEC has also been a subject of contention. Certain corporations fear that this might disincentivize incident reporting due to potential penalties imposed by the SEC.
The SEC defends this mandate by asserting the importance of safeguarding investors from potential cyberattacks. It also assures corporations that good faith reporting of cybersecurity incidents will not result in penalization.
Given that these regulations are still under development, the timeline for their finalization remains uncertain.
Statement from Commissioner Peirce
In a public statement, SEC Commissioner Hester Peirce expressed her concerns over the potential disproportionate impact of the proposed regulations on smaller corporations.
“Unfortunately, with this proposal, the Commission has apparently decided its role is to be an enforcer demanding that a firm dealing with a cybersecurity attack first and repeatedly attend to the Commission’s voracious hunger for data. The Commission stands ready, not with assistance but with a cudgel to wield if the firm fails to comply with a complicated reporting regime, even if the firm resolves the incident by avoiding significant harm to the firm or its customers… .
When we engage with a regulated entity that has suffered a cyberattack, we deal with a victim. We typically deal with a victim who has made great effort to protect its systems and its customers’ data and is devoting significant resources to mitigate the harm from such an attack. Our priority should be to provide what support and information we can to assist the firm in this effort and, following resolution, to gather information that will help other firms in the future. Instead, this proposal demonstrates that our priority is to create even more legal peril for a firm in this situation, legal peril that will distract employees of the firm from mitigating the immediate threat to the firm and its customers as they navigate the aggressive deadlines and open-ended information demands of the Commission.”
The proposed SEC Rule 10 represents a substantial advancement in the battle against cyberattacks. However, the potential impact on smaller corporations is significant. Therefore, it is crucial for organizations to thoroughly evaluate these proposed regulations and formulate a strategic plan for compliance.