In the U.S., the director of the Securities and Exchange Commission’s (SEC) Division of Corporation Finance issued a statement addressing early inconsistencies observed under the agency’s new cybersecurity incident disclosure rule.
Following this news, Digital Journal heard from Mike Lyborg, CISO at Swimlane to consider the implications for the technology community.
Lyborg begins by assessing the communications wave that has been running through the tech sector following the announcement: “The SEC’s initial rule on materiality sparked confusion and excessive disclosure from public companies, prompting a course correction with a new statement from the Division of Corporation Finance.”
As to the implications, Lyborg thinks: “This demonstrates a commitment to refine the rule, balancing transparency with investor relations and risk management concerns. This rings especially true as 56 percent of companies point to the potential impact on future financial performance as the top factor influencing their assessment of material incidents.”
There are benefits yet issues also remain, observes Lyborg: “While this focus on iterative improvement is commendable, challenges remain. A lack of standardized materiality assessment protocols and maturing risk management practices within companies raise questions about effectively gauging the long-term impact of cyber incidents.”
This comes down to a confusion between the concepts of regulatory compliance and balanced risk assessment, as Lyborg notes: “It’s crucial to distinguish between compliance and proactive risk management. We’ve seen the “check-the-box” approach fall short time and time again. The SEC’s adjustments seem aimed at preventing investor complacency about cyber threats, but time is needed for investors to fully understand and utilize this information.”
This means ongoing concerns remain: “The core issue persists: companies struggle to assess materiality under tight deadlines, leading to hasty and potentially incomplete disclosures. Prioritizing robust risk management, supported by thorough evidence collection, is key. This empowers companies to make informed reporting decisions, regardless of the timeframe.”
In calling for a clearer narrative, Lyborg recommends: “The SEC’s evolving stance acknowledges the need to strike a balance between transparency and investor confidence. Though challenges remain, particularly with materiality assessments, the commitment to continuous improvement signifies a positive step forward in cybersecurity regulation.”
