The Securities and Exchange Commission (SEC) has proposed rule amendments to enhance and standardise disclosure regard cyber risk management, strategy, governance and incident reporting by public firms.
According to the SEC, the proposed amendments would require current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.
The proposal would also mandate periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks, the registrant’s board of directors’ oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing cyber policies and procedures.
The SEC said the amendments are intended to better inform investors about a registrant’s risk management, strategy and governance and to provide timely notification to investors of material cybersecurity incidents.
SEC chair Gary Gensler said, “Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.
“A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
Copyright © 2022 FinTech Global