SEC Requests Comments on Cybersecurity Disclosure Rules

In March 2022, the Securities and Exchange Commission (SEC) published on its website and in the Federal Register proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The proposed rules seek to enhance and standardize disclosures regarding public companies’ cybersecurity risk governance and cybersecurity incident reporting. The SEC states that the proposed rules provide amendments that will require current reporting about material cybersecurity incidents and require registrants to provide updates about previously reported cybersecurity incidents in their periodic reports. The proposed rules will also “require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk”.

The proposed rules would affect public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The SEC has prepared and published an Initial Regulatory Flexibility Analysis (IRFA) for the proposed rules, noting that the proposed amendments will impose the same requirements on all registrants irrespective of size. The agency requests public comment on its IRFA, and specifically how the proposed disclosure amendments would affect small entities.

The comment period closes May 9, 2022.