USA: SEC proposes rules on cybersecurity risk management for public companies
The Securities Exchange Commission ('SEC') published, on 9 March 2022, proposed amendments to its rules to enhance and standardise disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies, and is requesting comments on the same. In particular, the SEC chair, Gary Gensler, stated that "if adopted, it would strengthen investors' ability to evaluate public companies' cybersecurity practices and incident reporting".
In addition, the SEC stated that the proposed rule would require, among others:
- current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents;
- periodic reporting about a registrant's policies and procedures to identify and manage cybersecurity risks;
- the registrant's board of directors' oversight of cybersecurity risk;
- the management's role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures; and
- annual reporting or certain proxy disclosure about the board of directors' cybersecurity expertise, if any.
The public comment period will remain open for 60 days following the publication of the proposing release on the SEC website, on 9 March 2022, or 30 days following the publication of the release in the Federal Register, whichever period is longer.