SEC Proposes New Rules on Cybersecurity, Risk Management, Strategy, Governance, and Incident Diclosures

The expenses for both companies and their investors due to cybersecurity incidents are increasing, and the rate of increase is also going up. The Securities and Exchange Commission (SEC) is suggesting changes to its rules to make public companies provide better information about their cybersecurity risk management and incident reporting.

In the current form, the majority of cybersecurity incidents is reported in a Form 8-K, press release, or periodic report. However, the SEC has observed some cases that were reported in the media but that were not disclosed in corporate filings. Also, the nature of the filings varies widely. The level of specificity regarding cause, scope, impact, and materiality of the incident differs from company to company. The SEC staff has noticed that most companies that disclose cybersecurity risks in their annual reports do so in the risk factor section of their Form 10-K. However, these disclosures are sometimes mixed with further unrelated disclosures, which makes it more difficult for investors to find, understand, and assess the information that is provided. Companies‘ disclosure of cybersecurity incidents and risk management has improved since 2011, but current reporting may lack detail and consistency.

The SEC believes that investors would benefit from more detailed and consistent disclosures about cybersecurity incidents and risk management, including whether a company’s board of directors has cybersecurity expertise. To address these issues, the SEC is proposing rule amendments to enhance disclosure in these areas. This proposal would require companies to provide more details about their policies and procedures for managing cybersecurity risks, as well as information about material cybersecurity incidents. This would help investors evaluate a company’s cybersecurity practices and incident reporting.

The proposal is open for public comment for 60 days after it is published on the SEC’s website or 30 days after publication in the Federal Register. The SEC press release can be found here and the proposed rule along with more information about the background can be found here.

A brief factsheet by the SEC can be found here.