The SEC today proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.
The proposed amendments would require, among other things, current reporting on a Form 8-K about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, as well as reporting when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.
The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors' oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any. The new disclosure would also need to be tagged with XBRL.
