The Securities and Exchange Commission has adopted cybersecurity rules, requiring public companies to disclose material information on their cybersecurity risk management and governance strategy and requiring firms to disclose cybersecurity breaches within four days of them deeming it material to investors.

The adopted rules don’t have any direct implications for municipal issuers, but the requirements on the disclosure of cybersecurity risks does provide some insight as to how the SEC is beginning to think about cybersecurity risks for other segments of the market.

“The SEC’s new rule focuses on cybersecurity risks faced by public companies,” said Michael Decker, senior vice president for research and public policy at the Bond Dealers of America.  “It will require corporate issuers to disclose material cybersecurity incidents and report how they manage cyber risks.”

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Bloomberg News

“While yesterday’s release does not have immediate implications for municipal issuers, it gives us a sense of the Commission’s thinking around risks to investors posed by cyber attacks on issuers,” he added. “Perhaps relatedly, cyber risks to municipal issuers were a discussion topic at the SEC’s municipal disclosure conference in May. Clearly, they see cyber risk as a priority.”

In a comment letter published in June, the Municipal Securities Rulemaking Board outlined its opposition to much of the proposal, taking issue with the overly broad nature of it, and the lack of harmonization with the SEC’s other proposal on Regulation Systems Compliance and Integrity (SCI)

“The MSRB believes that the scope of proposed Rule 10 is overly broad, which could diminish the effectiveness of the rule by diverting a disproportionate amount of covered entities’ efforts to information and systems that have little or no relevance to the U.S. securities markets,” the MSRB wrote. 

The proposal’s overly broad nature could also come to include some of the MSRB’s own internal systems but have little relation to securities markets, they said.

“For example, the defined term ‘information systems’ could be understood to cover as information resources the third-party software-as-a-service (SaaS) solutions that the MSRB uses for employee rewards/recognition and employee expense reimbursement, although those SaaS solutions have no apparent relevance to the U.S. securities markets or the MSRB’s ability to fulfill its role as a self-regulatory organization.”

The MSRB is subject to Regulation SCI through its EMMA system and is already subject to cybersecurity requirements that overlap with these new rules. The MSRB bemoaned the lack of harmony between them.

The MSRB also took issue with the lack of an exception to delay public disclosure in the event of significant cybersecurity events that could warrant legitimate concerns. The Commission changed part of its rule to accommodate it.

“With respect to incident disclosure, we are narrowing the scope of disclosure, adding a limited delay for disclosures that would pose a substantial risk to national security or public safety,” the SEC said in its final rule.

Sharing in opposition with the Securities Industry and Financial Markets Association, the MSRB also wrote they it was concerned about the requirement to publicly disclose cybersecurity risks and covered entities’ responses to these risks, which could have an overall negative effect on cybersecurity in the U.S. securities markets. 

SEC commissioner Hester Peirce, in her opposition to the proposal, expressed similar unease. 

“Even as the new disclosures tip off informed cyber criminals, they might mislead otherwise uninformed investors without first-hand knowledge of cyber attacking,” Peirce wrote. “The fast timeline for disclosing cyber incidents could lead to disclosures that are ‘tentative and unclear, resulting in false positives and mispricing in the market’.”