SEC mulls redefining cyber as we know it

Investors have a lot to learn. [View in browser]( [Bloomberg]( Hi, it’s Andy Martin in New York. U.S. companies may soon have no choice but to be more forthcoming about when hackers hit. But first... Today’s must-reads: - Google [said it plans]( to put $9.5 billion into offices and data centers in 2022, an investment in bringing more workers back - The architect of Spotify’s [controversial podcasting]( strategy is departing the company - Ethereum’s [highly-anticipated update](, which aims for a smaller carbon footprint, is likely to be completed after June SEC cyber rules promise accountability at ‘highest-levels’ Public companies are supposed to let investors know when they have been hit with a significant cyberattack, according to guidance from the U.S. Securities and Exchange Commission. That hasn’t worked out so well. Often based on the judgments of corporate lawyers, many companies decide against reporting. Even when they do, the disclosure is so generic that it isn’t useful to investors. “I worry that these judgments have too often erred on the side of nondisclosure, leaving investors in the dark – and putting companies at risk,” said former SEC Commissioner Robert J. Jackson Jr. in 2018. Company management is also supposed to keep boards informed about cybersecurity issues. But in 2020, only 17% of Fortune 100 companies surveyed disclosed reporting cyber issues to board members at least annually or quarterly, according to [a March 2021 report]( on public companies’ cyber-risk disclosures from the assessment firm SecurityScorecard, the National Association of Corporate Directors and others. That may be about to change after the SEC issued a series of proposals that would require public companies to report on material cyber incidents within four days of discovery and report on several other cyber-related issues, such as company policies for managing cyber-risks and the cyber expertise, if any, of members of the board. Jamil Farshchi, chief information security officer at Equifax, told Bloomberg that the proposals represent “some much-needed transparency” that would require “accountability at the highest levels of corporate leadership.” The SEC also proposed new rules for investment advisers and funds. If approved, they would be required to implement policies to address cyber-risk and disclose cyber incidents to current and prospective clients or investors. Of course, a key question remains over what constitutes a “material” or “significant” cyber incident. On that front, the SEC reiterated that information is material if there is a “substantial likelihood that a reasonable shareholder would consider it important.” Recent events may have offered new insights into the SEC’s views. In what became known as the SolarWinds hack, Russian state-sponsored hackers infected updates from a U.S. federal contractor, using that to stage further intrusions. Afterward, the SEC sent letters to at-risk companies, asking them to self-report if they had been attacked and to what extent. The SEC also suggested potential forgiveness to companies that complied, even if they hadn’t previously disclosed the incident to investors. “The SEC’s Amnesty Program is most noteworthy as a signal on how the SEC’s understanding of threshold materiality may be evolving in response to the changing nature of cyber risk,” according to an updated report released today by National Association of Corporate Directors, the Cyber Threat Alliance and Security Scorecard on the SEC’s proposals and recent actions. “The SEC’s Amnesty Program is a signpost for a conservative interpretation of where disclosures are warranted, at least in the context of software vulnerabilities.” The report’s authors said the SEC’s actions and proposed initiatives make it clear that it intends to play an active role in strengthening cybersecurity for the companies that fall under its regulatory umbrella. “I think this is kind of a watershed moment for the SEC and its cybersecurity oversight,” said Sachin Bansal, chief business and legal officer of SecurityScorecard. Not everyone is convinced the SEC proposal will be completely transformative. “I see a lot of arguments about materiality on the horizon and lots of legal tests needed to land somewhere,” said Drew Simonis, the CISO at Juniper Networks, in [a post on LinkedIn](. “Not to say the SEC rule won’t advance transparency. I just think it’s a first down vs. a touchdown.” It’s safe to say that others (those corporate lawyers) will take a much dimmer view of the SEC’s proposals and will undoubtedly share them with the commission before they vote. —[Andrew Martin](mailto:amartin146@bloomberg.net) The big story Jack Dorsey’s evolution from Twitter boss to Bitcoin’s unofficial spiritual leader has come with plenty of questions. Now, as he transforms Block (formerly known as Square) into a tool for [advancing cryptocurrency](, former employees say that as a futurological weather vane Dorsey is rarely wrong. What else you need to know Speaking of Dorsey, a nonfungible token of the [first-ever tweet]( isn’t drawing many high bids. WeWork is trying to [strengthen its tech credentials]( by selling a new software product to employers. Chipmakers say inventory build-up is a [signal of increased demand](, not a reason for concern. Crypto payments startup Circle said it’s [closer to submitting]( an application to operate as a bank. What to watch: Bloomberg TV dissects [a fake press release]( that sent shares of a lithium miner up 200%. Programming note: Fully Charged will be off on Friday. Have a good weekend! Follow Us More from Bloomberg Dig gadgets or video games? [Sign up for Power On]( to get Apple scoops, consumer tech news and more in your inbox on Sundays. [Sign up for Game On]( to go deep inside the video game business, delivered on Fridays. Why not try both? Like Fully Charged? | [Get unlimited access to Bloomberg.com](, where you'll find trusted, data-based journalism in 120 countries around the world and expert analysis from exclusive daily newsletters. You received this message because you are subscribed to Bloomberg's Fully Charged newsletter. If a friend forwarded you this message, [sign up here]( to get it in your inbox. [Unsubscribe]( [Bloomberg.com]( [Contact Us]( Bloomberg L.P. 731 Lexington Avenue, New York, NY 10022 [Ads Powered By Liveintent]( [Ad Choices](