The Securities and Exchange Commission (SEC) on March 9 issued a proposed rule that would require publicly traded companies to disclose a cybersecurity incident within four days of determining a breach is “material,” or important to the average investor. (BGov, March 11 and SEC News Release | Proposed Rule | Fact Sheet)
Proposed SEC Requirements
- SEC Chair Gary Gensler, above, said, “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” (Bloomberg, March 9)
- An SEC spokesperson noted that the crisis in Ukraine gave these proposals “special relevance.” (CNBC, March 9 and see story below on The Roundtable’s upcoming March 25 discussion on the Ukraine conflict)
- The proposed SEC amendments would include requirements around reporting material cybersecurity incidents – and providing periodic updates for previously reported cybersecurity incidents. (Wall Street Journal, March 9)
- The proposal also would require periodic reporting related to:
- a registrant’s policies and procedures to identify and manage cybersecurity risks;
- the registrant’s board of directors’ oversight of cybersecurity risk; and
- management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
- The Real Estate Roundtable is planning to provide comments on the SEC proposal in advance of the May 9, 2022 submission deadline and looks forward to Roundtable members’ input. The proposed four-day reporting timeframe for companies to provide cyber disclosures may not provide enough time for companies to discover the full extent of an incident. (BGov, March 11)
Cybersecurity Threats
- An Audit Analytics report released last year showed the number of cybersecurity intrusions reported by public companies increased from 28 breaches in 2011 to 117 in 2020.
- The average cost of a corporate data breach was $4.24 million in 2021, according to an annual IBM Security report.
- Separately, the $1.5 trillion omnibus bill spending bill enacted on March 11 included the Cyber Incident Reporting for Critical Infrastructure Act. The legislation establishes a narrower 72-hour window for critical infrastructure owners and operators to disclose a cyberattack to the Cybersecurity and Infrastructure Security Agency (CISA). Certain businesses are also required to report any ransom payments to the federal government within 24 hours, among other changes. (Brownstein Hyatt Farber Schreck, March 14)
- The Real Estate Roundtable’s Homeland Security Task Force (HSTF) is coordinating briefings on the following security threats through the Real Estate Information Sharing and Analysis Center (RE-ISAC):
- April: DHS Sector Outreach and Programs (Active Shooter, and other soft target resources for the Commercial Facilities Sector)
- May: DHS Fusion Center overview
- June: US Secret Service cybercrime
- August: The Protective Security Advisor Program
- September: FBI cybersecurity/cybercrimeNovember: The InfraGard program
Roundtable members interested in participating can contact Andy Jabbour of the RE-ISAC.
# # #