On March 9, 2022, the SEC proposed rules, by a 3-1 vote, that are
intended to enhance disclosures about cybersecurity risk
management, strategy, governance, and incident reporting by public
companies. The proposed rules are premised on the idea that
“investors would benefit from greater availability and
comparability of disclosure by public companies across industries
regarding their cybersecurity risk management, strategy, and
governance practices in order to better assess whether and how
companies are managing cybersecurity risks.” If adopted as
proposed, the rules will dramatically impact the way public
companies, boards, and management disclose cyber incidents and
matters relating to their cybersecurity oversight (including board
and management expertise). The proposed rules represent a
significant expansion of the current guidance, which dates back to
2011 and 2018 (see our prior post), and if adopted as released, will likely
lead to operational and governance changes for many businesses.
The Proposed Rules
The proposal addresses the perceived need for enhanced
cybersecurity disclosures in several ways, including through new
current reporting and…
