SEC proposes rule changes to standardize cybersecurity disclosures by public companies

The U.S. Securities and Exchange Commission (SEC) has proposed rule changes designed to enhance and standardize disclosures for cybersecurity risk management by public companies.

The proposed amendments would require current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. In addition, it would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks, as well as the board’s oversight of cybersecurity risk and management’s role in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.

Further, it would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise.

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” SEC Chair Gary Gensler said. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”

The proposed amendments are designed to better inform investors about a registrant’s risk management, strategy, and governance while timely notification to investors of cybersecurity incidents.

The comment period will remain open for 60 days following publication of the proposal on the SEC’s website or 30 days following publication of the release in the Federal Register, whichever period is longer.