45 Both Acting Chair Mark T. Uyeda and Commissioner Hester Peirce dissented at the time from the adoption of the Cybersecurity Rules, criticizing the requirements as unnecessary, immaterial and burdensome. On October 22, 2024, Uyeda and Peirce issued a joint dissent heavily criticizing charges brought against companies for allegedly making materially misleading disclosures regarding cybersecurity. The dissent characterized the enforcement allegations as being of two types: 1. Failing to disclose material information (in the cases of Avaya and Mimecast); and 2. Failing to update an existing risk factor in response to a cyberattack (in the cases of Check Point and Unisys). The dissent disagreed that there were material omissions and believed it highly unlikely that investors would view them as material especially since some of the incidents were already reported in the media. Therefore, they considered the focus to be wrongly directed on the immaterial details regarding the incidents themselves rather than their overall impact. Acting Chair Mark T. Uyeda and Commissioner Hester Peirce also discounted certain claims by the SEC of companies allegedly framing cybersecurity events as hypothetical. They countered that there should have been a clearer explanation on why any of the alleged omissions were material from a securities law perspective. The dissent concluded that the majority failed to apply a “reasonable investor” standard in each of these orders. There is uncertainty as to whether the SEC, when the new Chairman and new Commissioners are in place, will repeal or otherwise revise the Cybersecurity Rules. Some clues could be derived from the way they looked at other somewhat similar rules. On February 11, 2025, Acting Chair Uyeda announced that the SEC will not defend its climate disclosure rules that are currently being challenged in the Eighth Circuit. It is unclear whether the other Commissioners will take a similar stance and ultimately consider repealing, or otherwise limit the enforcement of the Cybersecurity Rules. There are of course fundamental differences between the climate change rules and the Cybersecurity Rules, and the challenge to the climate rules goes much deeper. Critics argue the SEC does not have the authority to require climate-related disclosures without specific congressional approval, and some argue that the rules violate companies’ First Amendment rights, issues that are not as relevant to cybersecurity disclosure or enforcement.
RkJQdWJsaXNoZXIy MjgzNzA=