All Companies Must Resist the Urge to "Game" New SEC Cyberattack Disclosure Regulations

Dr.  Susan Moore for TEMVI 

Published Aug. 3, 2023 11:33AM ET

New York- Kim Nash, Deputy Bureau Chief, The Wall Street Journal reports on how new rules governing when publicly traded companies must report serious cyberattacks.  While executives disagree on what the rules mean, CEOs and board members are advised against attempting to "game" the system. 

In the article, TEMVI Managing Director, Thomas View advises strongly in favor of frank and direct reports to government related to cyberattacks. “Even if leaders are not explicitly required to make a certain level of disclosure," says View "CEOs and boards would be well advised to exercise the highest level of forthrightness and candor in communications related to cybersecurity.” * 

In an interview with View for this article, he elaborates.  "The instinct to try to game the rules (i.e., predict some minimum acceptable level of disclosure) is misguided from a number of perspectives. First, like RICO and SEC 10 (b) -5, SEC, one should expect that certain regulatory disclosure requirements are intentionally somewhat vague."  

He goes on to state that, historically, regulators understand that certain crimes typically committed by fairly sophisticated people. They understand how to use the rules and procedures meant to protect a system to, instead, manipulate the system for a desired outcome. By maintaining a certain vagueness, regulators  want to encourage people to err on the side of caution.

Critics of statutory vagueness argue that it does not give fair notice of what conduct is prohibited. As well, critics argue that vagueness puts too much discretion in the hands of law enforcement officers. Despite these criticisms, the drafters of these provisions adopt broad language applicable to any fraudulent activity in order to reach the unanticipated schemes that might be designed to conform to the letter of the law and not its spirit. 

Secondly, government regulations generally confirm to standards- of-care that apply define negligence. 

"This distinction is the difference between paying a fine and personal or criminal liability for a CEO or board member." Says View "The same behavior that could result in a regulatory fine when viewed as a tort, could result in personal--sometimes criminal--liability for  CEOs and board members."


Ayan View contributed to this article