FR 2020-28273

The Securities and Exchange Commission (SEC) has introduced a new regulatory rule aimed at enhancing the reliability and integrity of submissions through its Electronic Data Gathering, Analysis, and Retrieval system, known as EDGAR. This development is intended to address administrative issues that have arisen as the volume of submissions has increased over time. The rule will allow the SEC to take specific actions to mitigate potential risks associated with data submissions, cybersecurity threats, and unauthorized access.

General Summary

The document outlines the SEC's new rule and its amendments to existing procedures that govern the filing and correction processes within the EDGAR system. It sets forth actions the SEC may take to enhance data integrity. For instance, the SEC can redact sensitive personal information to prevent financial harm, address cybersecurity threats by blocking risky submissions, and correct errors or unauthorized uses swiftly. Filers will be notified of these actions as soon as reasonably practicable.

Significant Issues or Concerns

One notable concern is the broad discretion granted to the SEC to act without notifying filers in advance. This capability may raise fairness and due process issues, especially when the Commission acts on submissions containing sensitive personally identifiable information (PII). Although the rule aims to protect individual privacy, the expansive definition of Sensitive PII and handling it without prior notice could lead to privacy concerns.

Moreover, the economic analysis portion of the rule is predominantly qualitative, emphasizing transparency and efficiency but lacking quantitative data to support claims of economic impact. This could make it challenging for stakeholders to fully assess the economic ramifications of the rule.

Public Impact

Broadly, the rule seeks to enhance the security and accuracy of financial data collected through EDGAR, which might improve public trust in the system. By ensuring that sensitive information is protected and cybersecurity threats are mitigated, the SEC aims to protect investors and other public users from potential financial risks.

Impact on Specific Stakeholders

• Filers: The rule provides clearer guidance on what actions the SEC might take to ensure data integrity. However, the potential for actions without advance notice could create uncertainty. Filers might have to implement more stringent internal processes to avoid administrative or technical issues with submissions.

• Investors and Financial Professionals: By promoting data accuracy and security, the rule benefits this group as it relies on EDGAR submissions for decision-making. Enhanced data integrity could lead to improved confidence and investment outcomes.

• Vendors and Suppliers: These entities, often involved in submission processes, must be cognizant of their potential inclusion as "relevant persons" in notifications from the SEC, necessitating heightened diligence in their operations.

While the rule aims to streamline administrative processes and protect data integrity, stakeholders must remain vigilant and adapt to the new regulatory landscape to fully leverage its benefits. Potential concerns about privacy, transparency, and fair application of authority by the SEC need to be monitored and addressed to ensure the rule meets its intended objectives without unintended negative consequences.

The document references financial matters in the context of cybersecurity threats and their economic implications. One specific reference is made regarding the cost of malicious cyber activity to the U.S. economy in 2016, estimated to be between $57 and $106 billion. This estimate includes financial impacts from denial of service attacks, disruption of business activities, and theft or destruction of proprietary or strategic information. This reference highlights the significant economic stakes involved in maintaining robust cybersecurity measures, particularly in systems like EDGAR used for electronic data gathering and analysis.

This financial reference is relevant to several issues identified in the document. Firstly, it underscores the importance of the rule empowering the Commission to prevent cybersecurity threats in EDGAR submissions, as the economic impact of cyberattacks can be profound. By addressing potential threats proactively, the Commission aims to mitigate the high costs associated with cyber incidents, reflecting a direct concern for national economic security.

Additionally, the substantial dollar amounts associated with cybersecurity breaches reinforce the necessity of the Commission's broad discretion in taking immediate action. While some may view this discretion as potentially impacting fairness and due process, the financial risks underscore the rationale for rapid response capabilities to prevent economic loss.

Moreover, the document's reliance on qualitative rather than quantitative economic analysis could be seen as a limitation in fully conveying the potential financial benefits of the rule. The lack of comprehensive data might hinder a complete understanding of the economic trade-offs involved, illustrating a transparency issue. Therefore, the discussion of financial implications here could strengthen the case for more detailed quantitative analyses in future discussions, aiding in more transparent evaluation of regulatory impacts.

In summary, the monetary impact of cybersecurity threats as discussed in the document serves not only to justify certain regulatory measures but also to highlight issues related to the rule's implementation and assessment. The document points out significant potential costs associated with data vulnerabilities, emphasizing the crucial need for protective measures in digital financial systems.