X

SEC Proposes Cybersecurity Disclosures by Public Issuers

The SEC proposed new disclosure requirements regarding cybersecurity risk management, governance, strategy, and incident reporting by public companies. The proposed requirements are meant to (i) inform investors as to an issuer's risk management strategy and governance and (ii) provide prompt notification to investors of material cybersecurity incidents, as well as periodic updates on such incidents.

Proposed Rulemaking

The proposal would require:

  • public reporting about material cybersecurity incidents on Form 8-K within four business days of determining that a company has experienced a material cybersecurity incident;
  • periodic disclosures regarding, among other things: (i) a registrant’s policies and procedures to identify and manage cybersecurity risks, (ii) management’s role in implementing cybersecurity policies and procedures, (iii) the board of directors’ cybersecurity expertise (if any), and its oversight of cybersecurity risk, and (iv) updates as to previously reported material cybersecurity incidents; and
  • cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language.

Commissioner Statements

SEC Commissioner Hester M. Peirce opposed the proposed amendments stating that they "flir[t] with casting [the SEC] as the nation’s cybersecurity command center, a role Congress did not give us." She further noted that the SEC regulates companies’ disclosures and not their activities and that it is ultimately up to the company itself to integrate cybersecurity expertise into its corporate decision-making.

SEC Chair Gary Gensler supported the proposed amendments stating that "[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs" and that today, "cybersecurity is an emerging risk with which public issuers increasingly must contend."

SEC Commissioner Caroline A. Crenshaw also supported the proposed amendments stating that, "the sophistication and frequency of cyberattacks have increased [and] that [the] increase has imposed corresponding economic harms and increased expenses on companies, and their investors." She further stated that the proposed amendments are meant to reconcile the inconsistencies that current cyber-security disclosures exhibit.

The comment period will remain open for the longer of 60 days following publication of the release on the SEC’s website or 30 days following publication in the Federal Register.

Primary Sources

  1. SEC Press Release: SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
  2. SEC-Proposed Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
  3. SEC Commissioner Hester M. Peirce Statement of Dissent
  4. SEC Chair Gary Gensler's Statement of Support
  5. SEC Commissioner Caroline A. Crenshaw's Statement of Support
  6. SEC Fact Sheet: Public Company Cybersecurity; Proposed Rules

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Individuals
Caroline Crenshaw , Gary Gensler , Hester Peirce
Regulated Activities
Data Protection / Cybersecurity Disclosures Governance
Sub-Activity
Cybersecurity
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC