Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: SEC proposes rules on cybersecurity risk management for public companies

The Securities Exchange Commission ('SEC') published, on 9 March 2022, proposed amendments to its rules to enhance and standardise disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies, and is requesting comments on the same. In particular, the SEC chair, Gary Gensler, stated that "if adopted, it would strengthen investors' ability to evaluate public companies' cybersecurity practices and incident reporting".

In addition, the SEC stated that the proposed rule would require, among others:

  • current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents;
  • periodic reporting about a registrant's policies and procedures to identify and manage cybersecurity risks;
  • the registrant's board of directors' oversight of cybersecurity risk;
  • the management's role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures; and
  • annual reporting or certain proxy disclosure about the board of directors' cybersecurity expertise, if any.

The public comment period will remain open for 60 days following the publication of the proposing release on the SEC website, on 9 March 2022, or 30 days following the publication of the release in the Federal Register, whichever period is longer.

You can read the press release here, the proposed rule here, and a fact sheet here.