The Securities and Exchange Commission has proposed to amend its rules to improve and standardize disclosures by public companies regarding incident reporting, cybersecurity risk management, governance and strategy.
The proposal would require current reporting of material cyber incidents and periodic reporting to offer updates on previously reported attacks as well as direct periodic reporting of a registrant’s policies to manage cyber vulnerabilities and cyber risk oversight of the registrant’s board of directors, SEC said Wednesday.
SEC also proposed annual reporting requirements about the cyber expertise of the board of directors. Periodic reporting would also be required about the management’s role in cyber risk assessment and implementation of cyber policies.
“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. … I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” said SEC Chair Gary Gensler.
“I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting,” Gensler added.
The proposed rules will be open for public comments once published in the Federal Register or on the commission’s website.
