SEC cyber rules could survive regardless of election outcome, experts say

[This article includes insights from a panel during a live CFO Dive and CIO Dive event, which took place Oct. 30. Sessions can be watched here.]

While both presidential candidates Vice President Kamala Harris and former President Donald Trump have differing views on overall regulation and enforcement strategy, cybersecurity regulations may be a rare area of bipartisan agreement, experts told CFO Dive during a recent live event.

While it’s difficult to predict ahead of time how elections will impact things, “I think we generally find that cyber is a rather bipartisan kind of focus area,” John Pearce, principal, cyber risk, risk advisory services for consulting firm Grant Thornton. Pearce spoke Wednesday during a panel at a joint CFO Dive and CIO Dive online event, together with Jonathan Fairtlough, principal at KPMG cyber response.

Agencies like the Securities and Exchange Commission have recently finalized rules strengthening their enforcement of cybersecurity for public companies, for example, but such rules are about bringing transparency to investors — something that also tends to have bipartisan support, Fairtlough agreed.

Moreover, “the fact that this is not really having a macroeconomic impact,” the cyber rules themselves are unlikely to shift — the election could influence the enforcement and leadership of the SEC, but “I don’t see the cyber rules really going anywhere,” Pearce said.

Fostering open cyber communication

Agencies such as the SEC and the Federal Trade Commission have increased their cybersecurity enforcement efforts in recent years, CFO Dive previously reported — joining a growing cohort of international lawmakers and regulators doing the same.

“What we are now seeing is national regulation, both in the United States and in the European Union, and frankly, all across the world, to create a regulatory environment that promotes and requires cybersecurity and creates punishment and potential litigation issues for failures,” Fairtlough said Wednesday.

That includes the SEC, which finalized rules last year requiring public companies to disclose any “material cybersecurity” breach in their form 10-K within four days of determining if such a breach is material. The rules have led to friction between the regulator and company leadership as executives look to keep pace with a regulatory environment that is getting more complex each year, CFO Dive previously reported.

Ultimately, the future of such a rule — and the SEC’s overall enforcement strategy — will rest in the hands of the agency’s leadership, which could change after the next president takes office.

Though both Harris and Trump have shown support for stronger cybersecurity measures, Industry Dive sister publication Cybersecurity Dive reported, the candidates’ approaches on federal regulations broadly differ — Trump, for example, has promised to slash numerous federal regulations should he regain the presidential seat.

While “predicting the outcome on both an election and policy process is always an exercise in futility,” there are some takeaways from how the SEC and other government bodies such as the Supreme Court have approached cybersecurity, Fairtlough said Wednesday.

The SEC, for its part, does not consider its recent cybersecurity rule to be a new requirement, he said — rather, the agency sees it as “a clarification of existing responsibilities that companies have always had, and they're just simply trying to define that and make it clearer for the entities to understand how they have to disclose risk,” he said.

“I think that lens and the communication to the public is something that is bipartisan, that people want investors and the investing public to understand the risks and how risks are being addressed by their investments,” Fairtlough said. “Whether or not the informed mechanisms will remain the same, I think will depend on both the character and structure of the SEC going forward.”

Finance, IT collaboration is key

While it can be tricky to determine just how certain cybersecurity rules may change in the aftermath of the election, the SEC regulations are just one piece of a regulatory environment that is growing more and more complex each year. For U.S. CFOs, there’s also a bit of a learning curve — the U.S. has lagged behind certain markets such as Europe when it comes to implementing robust cyber regulations, for example.

“I think as we go forward, I think we have to realize, especially [in the] United States…some of these enforcement actions and the parties that are doing them, it's rather new,” Pearce said.

This is changing not only what rules companies need to comply with, but who is in charge of managing those risks and enforcement actions in the executive team. As one example, emerging rules will change the “long-term spending structure” for companies, Fairtlough said.

“Traditionally the rules around, okay, who buys what, and what technologies are used have been led by the technologists to focus primarily on what I would call the maintenance of systems,” he said. “But now another lens is added to this evaluation. What is the risk that these technologies pose both to our ability to meet our obligations going forward” in terms of both supply chain and and businss risk, but also regulatory risk, he said.

An IT team may not have the business insight needed to quantify those risks, but this is where finance leaders can step in. Having that understanding is critical as companies seek to navigate the complex cybersecurity regulatory environment.

“This sea change, it's slowly seeping in, but it's becoming more and more and more of a requirement where we're seeing boards and, executives, [the] C-suite really trying to grapple with, what are the methods they can use to understand cyber risk and to be able to quantify it, and to be able to measure it, without having to understand each and every piece of the technology?” Fairtlough said.