SEC Proposes New Rules for Cybersecurity Reporting by Public Companies

March 9, 2022

The Securities and Exchange Commission (SEC) recently proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.

Among other things, the proposed amendments would require current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors' oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. In addition, the proposal would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise.

The SEC stated that the proposed amendments are intended to better inform investors about a registrant's risk management, strategy and governance and to provide timely notification to investors of material cybersecurity incidents.

The comment period will remain open for 60 days following publication of the proposing release on the SEC's website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.