Earlier this year, the U.S. Securities and Exchange Commission (SEC) announced that it was proposing new rules to standardize disclosures by publicly traded companies related to cybersecurity risk management, strategy, governance, and incident reporting.
Although the rules have yet to be formally adopted by the agency, suggested requirements include:
- Current reporting about “material” cybersecurity incidents.
- Periodic updates about previously reported cybersecurity incidents.
- Periodic disclosures regarding a company’s policies and procedures to identify and manage cybersecurity risk.
- The board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risks.
- And management’s role and expertise in not only assessing and managing cybersecurity risk, but also implementing cybersecurity policies and procedures.
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” SEC Chair Gary Gensler said in a statement. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of…
