Thank you, Chair Gensler. In February 2018, the Commission issued an interpretive release discussing how companies should consider the materiality of cybersecurity risks and incidents when preparing their filings under the Securities Act[1] and the Exchange Act[2] (the “2018 Interpretive Release”).[3] The 2018 Interpretive Release highlighted how the Commission’s existing, principles-based disclosure requirements for risk factors, management’s discussion and analysis (MD&A),[4] description of business, and board risk oversight could require disclosure of a company’s material cybersecurity risks and incidents.[5] Today, the Commission is considering final rules that would impose a prescriptive disclosure regime regarding cybersecurity risk management, strategy, governance, and incidents.[6] When evaluating the proposal, some commenters believed that the 2018 Interpretive Release already compelled sufficient cybersecurity disclosure. Given this support for the existing guidance, today’s amendments could have addressed other concerns by making incremental changes to the Commission’s disclosure regime as it applies to cybersecurity. However, rather than using a scalpel to fine-tune the principles-based approach of the 2018 Interpretive Release, today’s amendments swing a hammer at the current regime and create new disclosure obligations for cybersecurity matters that do not exist for any other topic.

Cybersecurity is one of numerous risks and issues that companies must address from financial, operational, governance, and other perspectives. The Commission’s disclosure rules should not elevate cybersecurity above these other risks and issues, some of which may be more material to investors. However, the new disclosure obligations imposed on companies by today’s amendments do just that.

For example, a company must disclose “management’s role in assessing and material risks from cybersecurity threats.”[7] In doing so, it must specify the “management positions or committees [that] are responsible for assessing and managing such risks.”[8] And if that were not enough, the company must also provide disclosure equivalent to the resumes of such management and committee members.[9] If the Commission were to require such prescriptive disclosure for management’s role in assessing and managing risks, it should do so for only the most material risks that a company faces. Yet, the adopting release contains no meaningful discussion or reasoning as to why cybersecurity is more material than other risks, such as customer acquisition and retention, product development, innovation, globalization, competitors, regulatory approvals, taxes, and supply chain management. Compared to cybersecurity, these other risks likely have a greater effect on the company’s financial performance and, accordingly, its stock price.

Following today’s amendments, investors will have far less insight into how a company manages these other risks relative to cybersecurity, even if the company has not had any material cybersecurity incidents. Why is this? If the Commission elevates one risk above all others, the public deserves to know why the Commission is doing so. Failure to provide a reasoned basis is arbitrary and capricious and ignores the purposes of the Securities Act and the Exchange Act. It is not enough to simply proclaim “investor protection” and “public interest.”

In addition to prescriptive disclosure, today’s amendments break new ground by requiring real-time, forward-looking disclosure. As part of the new Form 8-K requirement, a company will need to disclose a cybersecurity incident’s material impact, or reasonably likely material impact, on the company, including its financial condition and results of operations.[10] These impacts, and reasonably likely impacts, will necessarily involve forward-looking statements, such as the estimated costs to remediate the incident or the potential loss of customers, and accordingly revenue, from the incident. Furthermore, a company will be required to amend its Form 8-K to disclose any material impacts, or reasonably likely material impacts, that were not determined or were unavailable at the time of the initial filing.[11] No other Form 8-K event requires such broad forward-looking disclosure that needs to be constantly assessed for a potential amendment.[12] Even in the context of a significant acquisition by a company – which is one of the most material corporate events – Form 8-K does not require any forward-looking disclosure with respect to the acquisition’s impact, or reasonably likely impact, on the company.[13]

The Form 8-K incident reporting requirement includes an exception for disclosure that “poses a substantial risk to national security or public safety.”[14] However, it is perplexing that there is a time limit of 120 days for this exception, and the last 60 days apply only in “extraordinary circumstances.”[15] The adopting release states that these 120 days “appropriately balance [national security or public safety] concerns against investors’ informational needs.”[16] This time limit is in stark contrast to the exception in Rule 171 under the Securities Act and Rule 0-6 under the Exchange Act, both of which do not require disclosure of any information “classified…for protection in the interests of national defense or foreign policy.”[17]

Further, I question the notion that a reasonable investor would be unwilling to sacrifice receiving information that may jeopardize national security or public safety. Indeed, most investors do not hold the stock of a single company, but rather they hold a portfolio of securities. Premature public disclosure of a cybersecurity incident at one company could result in uncertainty of vulnerabilities at other companies, especially if it involves a commonly used technology provider, resulting in widespread panic in the market and financial contagion. Early information is often incomplete and not correct. One only need to look at the regional banking crisis to see how speculation can destabilize entire sectors, or even the markets as a whole. In short, investors today care far more about their overall portfolios than any individual company.

Finally, the finding that today’s final rule is not a “major rule” under the Small Business Regulatory Enforcement Act is not credible or supportable. A “major rule” includes, among other things, any rule that is likely to result in an annual effect – which should aggregate both benefits and costs – on the economy of $100 million or more. One commenter estimated that annual compliance costs would be between $184.8 million and $308.1 million, but the Commission dismisses such estimates by asserting that it overstates the number of affected companies and only reflects the proposed rule, not the final rule. However, the Commission fails to put forth any estimate of its own and simply states that “we are generally unable to quantify costs related to the final rules due to a lack of data.”

Because of these and other concerns that I have with today’s amendments, I am unable to support it. However, I thank the staff of the Division of Corporation Finance, the Division of Investment Management, the Division of Economic and Risk Analysis, and the Office of the General Counsel for their work on this rulemaking. I would especially like to thank Luna [Bloom][18] for her insightful and thoughtful discussions with my office.