Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

SEC proposes amendments to cybersecurity risk management

Securities SEC Agency Rule-Making & Guidance Privacy/Cyber Risk & Data Security Disclosures Data Breach

Securities

On March 9, the SEC announced proposed amendments to its standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed amendments would require, among other things, “current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.” Specifically, firms would be required to describe their policies and procedures for the identification and management of cyber risks, provide information about the board’s oversight of and management’s role in cybersecurity risk, and disclose if a member of the board has expertise in cybersecurity. According to the SEC, “[t]he proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.” Comments are due 60 days after publication in the Federal Register.

The same day, the SEC published a fact sheet clarifying, among other things, how the amendments are applied and what is required. SEC Chair Gary Gensler issued a statement stating he was “pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” According to a dissenting statement issued by SEC Commissioner Hester M. Peirce, the proposed amendments “flirt[] with casting us as the nation’s cybersecurity command center, a role Congress did not give us,” and argued that the “precise disclosure requirements look more like a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate.”