Traders on the NYSE floor, March 2, 2022.
Source: New York SE
The Securities and Exchange Commission votes Wednesday to propose new cybersecurity rules for public companies.
The proposal consists of two components:
- Mandatory reporting of cybersecurity incidents: “Significant” incidents would need to be reported on an 8-K form within four business days of the incident. While the SEC has tried to get companies to disclose cybersecurity incidents since 2011, the agency has called incident reporting “inconsistent.”
- Required disclosures of company policies for managing cybersecurity risks: Organizations must also provide updates on previously reported significant cybersecurity incidents.
Proposed changes will be posted for a public comment period, which will be either 30 days after their posting in the Federal Register or 60 days after their posting, whichever is longer.
These proposed measures are part of a broader push by the SEC to improve cybersecurity disclosures. On February 9, the SEC released proposed rules regarding cybersecurity guidelines for investment advisers and registered funds, pending public comment.
Now regulators are turning their attention to public companies.
“Many issuers are already providing investors with cybersecurity disclosures,” SEC Chairman Gary Gensler said in a statement. “I think companies and investors alike would benefit if this information was needed in a consistent, comparable and decision-making way.”
An SEC spokesman noted that these proposals have been under review for some time but have been given “particular relevance” by the crisis in Ukraine.
Cybersecurity is just a small part of the ambitious regulatory agenda that Gensler has outlined. The SEC is currently reviewing over 50 regulatory proposals, one of the largest regulatory agendas in decades.