The new rules are meant for public companies subject to the reporting requirements of the Securities Exchange Act of 1934. These rules are distinct from the February 2022 proposed rules covering registered funds and advisers and are intended to improve and standardise public companies’ disclosures.
The SEC cited long-standing concerns about the need for companies to maintain secure and reliable information systems, and also highlighted new and increased vulnerabilities and threats such as digitalisation, remote work, reliance on cloud and other third-party services, digital and virtual payments, and sophisticated ransomware and malware campaigns. These factors create risks to the overall economy and create costs and consequences for businesses and investors. As a result, the SEC found that ‘cybersecurity is among the most critical governance-related issues for investors’ and that there ‘may also be a positive correlation between a registrant’s stock price and investments in certain cybersecurity technology’. The SEC further assessed that cybersecurity-related disclosures based on its 2018 Interpretive Release did not follow consistent substantive or procedural standards and were not always distinguished from other, unrelated disclosures.
Accordingly, the SEC determined that investors would benefit from ‘more timely and consistent disclosures’ by public companies of several categories of cybersecurity-related information: (1) material cybersecurity incidents, (2) risk management and strategy, (3) governance, and (4) cybersecurity expertise among board members. The SEC’s proposed reporting requirements are discussed in greater detail below.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now