SEC Issues Proposal on Public-Company Cybersecurity Disclosures

The SEC has issued a proposed rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The proposed rule would require a registrant to provide (1) “current reporting about material cybersecurity incidents”; (2) “periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk”; (3) ”updates about previously reported cybersecurity incidents in their periodic reports”; and (4) “cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language.”

For more information, see the press release and fact sheet, as well as statements by SEC Chair Gary Gensler and Commissioners Hester M. Peirce and Caroline A. Crenshaw, on the SEC’s Web site.