The US Securities and Exchange Commission (SEC) on March 9 proposed new rules to enhance and standardize disclosures relating to the risk management, strategy, governance, and incident reporting requirements of cybersecurity applicable to public companies (registrants).
The proposed rules are intended to address growing concerns surrounding the disclosure and reporting of cybersecurity incidents and, in particular, the underreporting of material cybersecurity incidents; the timing of the reporting that does take place; the lack of detailed disclosures regarding incidents; and the inclusion of unrelated information when disclosures are being made. These issues can make it harder to locate, interpret, and analyze a registrant’s cybersecurity disclosure.
The proposed rules are aimed at protecting investors and other capital market participants while encouraging “well-functioning, orderly and efficient markets.” It is important to ensure there is timely notification of material cybersecurity incidents as well as the disclosure of “consistent, comparable, and decision-useful information to enable an effective assessment” of a registrant’s exposure to, and ability to manage and mitigate, cybersecurity risks and threats.
Read more about the new rules in this Morgan Lewis LawFlash >