'Groundbreaking' or Broken? An Analysis of SEC Cyber-Security Disclosure Guidance, Its Effectiveness, and Implications

Albany law review Pub Date : 2013-05-05 DOI:10.2139/SSRN.2286905

Matthew F. Ferraro

{"title":"'Groundbreaking' or Broken? An Analysis of SEC Cyber-Security Disclosure Guidance, Its Effectiveness, and Implications","authors":"Matthew F. Ferraro","doi":"10.2139/SSRN.2286905","DOIUrl":null,"url":null,"abstract":"In October 2011, the Securities and Exchange Commission (SEC) responded to mounting concern about the threat of cyber-attacks on corporate America by issuing staff guidance on when publicly traded companies should disclose information about cybersecurity vulnerabilities and attacks in their annual public filings. This SEC cybersecurity disclosure guidance has escaped serious analysis until now. Using case studies and paying particular attention to the comment letters sent by the SEC to registrants to prompt greater disclosure, this article concludes that the guidance both procedurally overreaches and substantively underachieves. It overreaches because, while it is facially a nonlegislative rule, it has had the practical effect of binding private conduct as if it were a legislative one, violating the Administrative Procedure Act. It underachieves because the disclosures it requires are vague, similar across industries and companies, and bring little information to the marketplace. In particular, it fails to resolve an information asymmetry problem — between corporate managers and stockholders — that the disclosure laws are meant to address. To resolve these defects, the SEC should elevate cybersecurity disclosure guidance and issue it as a legislative rule, after a notice and comment period. Notice and comment rulemaking would contribute to sounder policy by allowing stakeholders to offer their expertise and experience at the front-end of the rulemaking process, improving the rule and its acceptability among the public. This guidance offers a counterexample to those who say that agencies do not commonly use guidance documents to make important policy decisions outside of the notice and comment process. The experience with this guidance also suggests the limits of agency creativity during periods of political ossification, and it challenges the simple verity that economic security and national security have merged.","PeriodicalId":79773,"journal":{"name":"Albany law review","volume":"77 1","pages":"297"},"PeriodicalIF":0.0000,"publicationDate":"2013-05-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Albany law review","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.2139/SSRN.2286905","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 14

Abstract

In October 2011, the Securities and Exchange Commission (SEC) responded to mounting concern about the threat of cyber-attacks on corporate America by issuing staff guidance on when publicly traded companies should disclose information about cybersecurity vulnerabilities and attacks in their annual public filings. This SEC cybersecurity disclosure guidance has escaped serious analysis until now. Using case studies and paying particular attention to the comment letters sent by the SEC to registrants to prompt greater disclosure, this article concludes that the guidance both procedurally overreaches and substantively underachieves. It overreaches because, while it is facially a nonlegislative rule, it has had the practical effect of binding private conduct as if it were a legislative one, violating the Administrative Procedure Act. It underachieves because the disclosures it requires are vague, similar across industries and companies, and bring little information to the marketplace. In particular, it fails to resolve an information asymmetry problem — between corporate managers and stockholders — that the disclosure laws are meant to address. To resolve these defects, the SEC should elevate cybersecurity disclosure guidance and issue it as a legislative rule, after a notice and comment period. Notice and comment rulemaking would contribute to sounder policy by allowing stakeholders to offer their expertise and experience at the front-end of the rulemaking process, improving the rule and its acceptability among the public. This guidance offers a counterexample to those who say that agencies do not commonly use guidance documents to make important policy decisions outside of the notice and comment process. The experience with this guidance also suggests the limits of agency creativity during periods of political ossification, and it challenges the simple verity that economic security and national security have merged.

查看原文本刊更多论文

“开创性”还是“破碎”?美国证券交易委员会网络安全信息披露指南及其有效性与启示分析

2011年10月，美国证券交易委员会(Securities and Exchange Commission，简称SEC)针对美国企业面临的网络攻击威胁日益增加的担忧做出回应，针对上市公司应何时在年度公开文件中披露有关网络安全漏洞和攻击的信息发布了指导意见。直到现在，SEC的网络安全披露指南还没有得到认真的分析。通过案例研究，并特别关注SEC向注册人发送的意见信，以促进更大的披露，本文得出的结论是，该指南在程序上过火，在实质上未能实现。它的越界是因为，虽然它表面上是一个非立法规则，但它具有约束私人行为的实际效果，就像它是一个立法规则一样，违反了《行政程序法》。它之所以没有达到预期效果，是因为它所要求的披露内容含糊不清，各个行业和公司都大同小异，给市场带来的信息也很少。特别是，它未能解决信息披露法旨在解决的信息不对称问题——公司管理者和股东之间的信息不对称问题。为了解决这些缺陷，美国证券交易委员会应该提升网络安全披露指南，并在通知和评论期后将其作为立法规则发布。通知和评论规则制定将有助于健全政策，允许利益相关者在规则制定过程的前端提供他们的专业知识和经验，提高规则及其在公众中的可接受性。有人说，在通知和评论程序之外，机构通常不使用指导性文件来做出重要的政策决定，而本指南为这些人提供了一个反例。这一指导方针的经验还表明，在政治僵化时期，机构的创造力是有限的，它对经济安全和国家安全已经合并的简单事实提出了挑战。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Albany law review

自引率

0.00%

发文量