Roundtable and Nareit Comment on SEC's Proposed Rules on Cybersecurity
May 9, 2022
The Real Estate Roundtable and Nareit submitted comments in response to the Securities and Exchange Commission’s March 9 proposal related to Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
Nareit and The Roundtable are broadly supportive of the SEC’s efforts to ensure that investors receive accurate and comparable material information regarding company cyber risk management and incidents. However, based on member feedback and analysis of the Proposal, we have a number of concerns arising from the detailed, granular reporting that would be required by the Proposal, and the rigid incident reporting deadlines, which members fear may unintentionally exacerbate cybersecurity risks for issuers and impose burdens unjustified by obvious benefits.
- It is vital to harmonize SEC reporting requirements with other federal and state cyber incident reporting requirements.
- The Commission’s proposed 72-hour reporting window should incorporate flexibility for a reporting delay to accommodate other law enforcement and other contingencies.
- Registrants should not be required to report detailed descriptions of their internal cybersecurity gameplans, which could compromise them in any number of ways.
- The prescriptive requirements for disclosing risk management, strategy, and governance regarding cybersecurity risk are burdensome and unjustified.
# # #