On March 9th, the SEC announced that it is proposing rules designed to improve and allow for more timely standardized disclosures regarding cybersecurity risk management, strategy, governance, and the reporting of cybersecurity incidents by public companies that must comply with the reporting requirements under the Securities Exchange Act of 1934. Increased cybersecurity disclosures would provide investors with information needed to consider which risks to take.
The proposed amendments would help keep investors apprised of a registrant’s cybersecurity practices and incident reporting by requiring the following disclosures:
current reporting about material cybersecurity incidents
updates about previously reported cybersecurity incidents in their periodic reports
cybersecurity disclosures presented in structured data format, such as XBRL
periodic disclosures about a registrant’s policies and procedures to identify and manage:
management’s role in implementing cybersecurity policies and procedures, and
board of directors’ cybersecurity expertise and the board’s oversight of cybersecurity risk
how cybersecurity risks and incidents might affect the company’s securities
The public may submit feedback on matters related to the proposal during the comment period, which will remain open for 30 days after publication in the Federal Register. For more information on the comment period and instructions on how to respond, see the Proposed Rule on the SEC’s website. The proposal will be published on the SEC’s website and in the Federal Register.