The Securities and Exchange Commission is voting on Wednesday to propose new cybersecurity rules for public companies.
There are two components to the proposal:
- Mandatory cybersecurity incident reporting: “Material” incidents would have to be reported on an 8-K form within four business days of the incident. While the SEC has sought to get companies to disclose cybersecurity incidents since 2011, the agency has described the reporting of incidents as “inconsistent.”
- Required disclosures on company policies to manage cybersecurity risks: Companies must also provide updates on previously reported material cybersecurity incidents.
The proposed amendments will be put out for a public comment period, which will be either 30 days from when it is published in the Federal Register, or 60 days after it is issued, whichever is longer.
These proposed measures are part of a broader push by the SEC to enhance cybersecurity disclosure. On Feb. 9, the SEC issued proposed rules related to cybersecurity policies for investment advisors and registered funds, which are still out for public comment.
Now the regulators are turning their attention to public companies.
“A lot of issuers already provide cybersecurity disclosure to investors,” SEC Chair Gary Gensler said in a statement. “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”
An SEC spokesperson noted that these proposals had been under consideration for some time, but that the crisis in the Ukraine had given them a “special relevance.”
Cybersecurity is only a small part of the ambitious regulatory agenda Gensler has laid out. There are over 50 regulatory proposals under consideration by the SEC, one of the largest regulatory agendas in decades.