By Cydney Posner
This article from BNA quotes former Corp Fin Director Meredith Cross as saying that she expects to see future disclosure requirements, including corporate spending levels, regarding the steps taken by companies to prevent cybersecurity risk. That type of disclosure is just one of several that she expects will continue to be introduced to guide corporate behavior to effect social and political goals: "'Requiring companies to post [on EDGAR] potentially embarrassing information… even if the information is not qualitatively or quantitatively material to investors, can be a very powerful motivator to change corporate behavior….Congress has figured this out, and the dam' has broken, she said. ‘And I think there is a significant risk that people will keep pushing for it.'" The challenge for the SEC (a "nearly impossible position," according to Cross) is trying to determine, when rules are proposed, "how these regulations would impact competition, capital formation and efficiency...." (Note that regulation by humiliation is really nothing new, but what seems to be different here is the extent of the Congressional mandate. )
With regard to cybersecurity risk disclosure, while Senator Jay Rockefeller has previously urged the SEC to enhance its formal guidance on disclosure of cybersecurity risks, his last draft of a cybersecurity bill made public dropped the reporting requirement.