Securities Regulation Daily Wrap Up, PUBLIC COMPANY REPORTING AND DISCLOSURE—House FSC advances resolution to disapprove SEC’s cyber regulation, (May 17, 2024)
Other bills reported out of committee would target the SEC for rulemaking reforms, demote the PCAOB, and strip PII from the consolidated audit trail.
The House Financial Services Committee voted to report a Congressional Review Act (CRA) resolution disapproving the SEC’s latest cybersecurity disclosure regulation. The measure was one of three considered and reported by the committee and demonstrates how the month of May has been a busy one for securities legislation that also has seen Congress send a CRA resolution on SEC staff guidance to the White House and lay the groundwork for the full House to mull blockchain legislation in the coming week that, if enacted would divvy crypto regulatory authorities between the SEC and the CFTC. The cybersecurity resolution, along with two other bills dealing with SEC rulemaking reforms and the exclusion of personally identifiable information (PII) from the consolidated audit trail (CAT), were reported by the House FSC on party lines by votes of 27-22. The White House has already indicated a likely veto of the similar Senate resolution introduced last year.
Cyber CRA resolution. In terms of the timing of the cybersecurity CRA resolution, the resolution would repeal a regulation that is currently in effect and for which compliance is already required by most public companies, with the exception of smaller reporting companies, which must shortly comply with certain requirements by mid-June 2024, and with respect to inline XBRL mandates for all subject companies for which compliance is required by mid-December 2024. Thus, companies are now well into their efforts to comply with the SEC’s expanded, formal disclosure regime for cybersecurity incidents.
The sponsor of the resolution, Rep. Andrew Garbarino (R-NY), said the SEC’s regulation should be curbed because, among other things, it requires public disclosure of the details of a cybersecurity incident too early and before any breach can be fixed, a situation he suggested that may help hackers.
Representative Garbarino also suggested that the provision in the regulation allowing for delay of public disclosures, if the Department of Justice believes that delay is justified, would be unworkable because he said DOJ officials have already tipped that delays would likely be rarely granted.
According to Rep. Garbarino, making a similar argument that others have made about the SEC’s climate risk disclosure regulation (i.e., EPA, not SEC should regulate climate change), the Cybersecurity & Infrastructure Security Agency (CISA) should be the main cybersecurity regulator not the SEC.
House FSC Ranking Member Maxine Waters (D-Calif) countered that the SEC regulation mandates incident-by-incident and annual public disclosures about cybersecurity breaches but that the regulation does not mandate just any public disclosure about such breaches because companies subject to the regulation must find a breach to be material before disclosure is required.
Ranking Member Waters also asserted that the resolution would harm investors by permitting companies, in the absence of a disclosure obligation, to hide inadequate or even nonexistent cybersecurity policies. She also noted that if the resolution were to become law, the SEC would be unable to issue substantially similar cybersecurity rules without new Congressional authority.
Cyber disclosure basics. The SEC cybersecurity regulation divides companies’ obligations into two parts. One part requires companies to make disclosures about their risk management and strategy for dealing with cyber threats. Specifically, a company must describe its process for assessing, identifying, and managing material risks from cyber threats. The description must be detailed enough to inform a reasonable investor of the company’s processes. Other disclosures must address governance concerns such as board oversight of cyber threats and management’s role in dealing with those threats.
The second part addresses current and periodical reports. Here, a company that has experienced a cyber incident must disclosure on Form 8-K the material aspects of the nature, scope and timing of the incident and the material impact (or reasonably likely material impact) on the company, including on its financial condition and results of operations.
An instruction to Item 1.05 of Form 8-K restates a key principle from guidance the SEC had previously issued in 2010 regarding the need for companies to disclose cyber incidents but without giving hackers a roadmap to the company’s vulnerabilities. Said the instruction to the final regulation: “A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”
The Form 8-K disclosure, however, can be delayed if the U.S. Attorney General finds that disclosure poses a substantial risk to national security or public safety.
Reforming the SEC. The House FSC also considered two additional securities bills. First, the SEC Reform and Restructuring Act, sponsored by Rep. Ann Wagner (R-Mo), partly reminiscent of the now long-defunct CHOICE Act from a prior session of Congress, would emphasize rulemaking reforms and accountability to Congress, but also would make significant changes regarding auditor oversight:
Rulemaking reforms—Title I would require the SEC to clearly identify any problem to be subjected to rulemaking before issuing a proposal (historically the SEC did something like this via concept releases) and to ensure that a new rulemaking is within the SEC’s jurisdiction. Title I also expresses the sense of Congress that the PCAOB should also follow these requirements (which conflicts somewhat with another provision discussed below that would demote the PCAOB). Titles IV and V would, respectively, mandate periodic SEC rule reviews every five years and direct the GAO to study major rules promulgated by the SEC. Title II would require the SEC chair to testify at least twice per year before the relevant House and Senate committees. Title VII would impose a minimum public comment period on proposed rules of 60 days (30 days if the subject matter of the rulemaking involves imminent investor harm). The comment period provision would address criticisms that the Gensler-led SEC has used shorter comment periods than is traditional, although many rulemakings that have been criticized ultimately received extended comment periods due to the comment periods being reopened or lengthened due to technical glitches.
PCAOB to be eliminated—Title V would demote the Public Company Accounting Oversight Board (PCAOB) from a board structure to having the status of an office within the SEC’s Office of the Chief Accountant. An SEC Historical Society panel several years ago detailed the making of federal corporate governance law upon the 20th anniversary of the Sarbanes-Oxley Act, including a discussion of the PCAOB, a key piece of the SOX legislation. During its history, the PCAOB has withstood a constitutional challenge to its structure, criticism of board members’ high salaries compared to other government officials, a cheating scandal and, in recent years, the repeated and nearly wholesale replacement of its board membership upon the start of a new White House administration (Trump Administration; Biden Administration).
IT and the CAT—Title IV would direct the GAO to audit the SEC’s information technology infrastructure and the agency’s ability to handle data. A related bill, which was proposed outside of the reform package and which is sponsored by Rep. Barry Loudermilk (R-Ga) would protect personally identifiable information from being required to be reported via the CAT. Representative Loudermilk characterized the CAT as a “surveillance tool” and suggested that the CAT does not function to provide public transparency, although he said the bill would not otherwise limit the CAT.
Both the SEC Reform and Restructuring Act and the separate CAT bill, formally titled the Protecting Investors’ Personally Identifiable Information Act, were favorably reported by votes of 27-22.
LegislativeActivity: AccountingAuditing CorporateGovernance CyberPrivacyFeed FederalLegislation ESGNews ExchangesMarketRegulation FedTracker Securities FinancialIntermediaries InvestorEducation PCAOBNews PublicCompanyReportingDisclosure RiskManagement SarbanesOxleyAct