May. 09, 2022
Honorable Chairman Gary Gensler Honorable Commissioners Allison Herren Lee, Caroline A. Crenshaw, and Hester M. Peirce U.S. Securities and Exchange Commission 100 F Street NE 100 F Street NE Washington, DC 20549 Dear SEC Commissioners, Companies have become highly reliant on cyber environments. These have absorbed critical parts of company operations in the last decades, in what has been called the digitalization process. Digitalization has opened new opportunities and improved productivity, leading tofinancial gains. Simultaneously, it has increased theirexposure to risks and attacks beyond the physical realm.Public companies, in particular, are attractive targets for perpetrators, arguably due to their large financial resources, the high volumes of data they process, and theirsocietal visibility. Cybersecurity incidents create a dilemma for companies, especially for public companies, who experience a complex trade-off when disclosing cybersecurity incidents: the roadmap dilemma. This dilemma is associated with the need for a company to finetune its information sharing to blend transparency and defense against future attacks. The Commission’s proposal addresses a critical need, which is the clarification to the market of what is understood as “relevant and material information”. We believe, in addition, that the Commission might further improve the efficacy of the proposal by more explicitly and intensively leveraging data from past cybersecurity incident disclosures made by public companies to that purpose. Specifically, this would allow lowering company acceptance hurdles, by better considering critical nuances in disclosed variables or what companies feel comfortable sharing at the moment regarding cybersecurity incidents.Shortcomings in meeting these critical aspects can hinder the success of the Proposed Rule. In our research, we have analyzed past disclosures to propose a bottom-up classification for cybersecurity incidents that integrates the perspectives of perpetrators and targeted companies and considers such a roadmap dilemma. The details of our proposition are further presented in the following working paper: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4101510. We believe that our proposed classification could be beneficially integrated within enhanced future SEC disclosure rules, primarily in the scope of item 2 in your Request for comments section (p. 28). Furthermore, our classification can assist public companies with peer experience in addressing the roadmap dilemma. We hope that the fortunate coincidence between the conclusion of our research and the Commission’s Request for Comment may translate into a valuable contribution to this proposal, and are fully open to further interacting with the Commission on the details of our study. Wishing all the success to this important initiative, Sincerely, Núbio Gomes Filho¹, Nazaré Rego¹, and João Claro² ¹ Escola de Economia e Gestão, Universidade do Minho, Braga, 4710-057, Portugal ² INESC TEC and Faculdade de Engenharia, Universidade do Porto, Porto, 4200-465, Portugal