Since 2011, the SEC has offered guidance concerning registrants’ existing disclosure obligations relating to cybersecurity and other incidents. In a 3-1 vote on March 9, 2022, the SEC proposed amendments to their existing rules which aim to inform investors about a registrant’s risk management, strategy, governance, and incident reporting by public companies. The proposed changes come at a time of growing regulatory concern about how cybersecurity issues could affect markets and investors.
The proposed amendments would require, among other things:
- Current reporting about material cybersecurity incidents and periodic updates about previously reported cybersecurity incidents
- Periodic reporting about:
- the registrant’s policies and procedures regarding identifying and managing cybersecurity risks;
- how the registrant’s board of directors is exercising oversight of cybersecurity risk;
- how management is assessing and managing cybersecurity risk;
- and how management is implementing cybersecurity policies and procedures.
- Annual reporting or certain proxy statement disclosures about the cybersecurity expertise, if any, among members of the registrant’s board of directors.
Favoring the proposed amendments, SEC Chair Gary Gensler stated that the proposed changes, “would strengthen the ability of investors to evaluate cybersecurity incidents and reporting of precautions by the companies they own by making consistent, comparable, reliable, and decision-making information available.”
On the opposing side, SEC Commissioner Herter M. Peirce expressed her belief that the proposed amendments put the SEC in a position where they are overstepping their boundaries. She stated, “We have an important role to play in ensuring that investors get the information they need to understand issuers’ cybersecurity risks if they are material. This proposal, however, flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us.”
The proposing release will be published on SEC.gov and in the Federal Register. The comment period will remain open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
To review the SEC’s official press release, click here.