The Securities and Exchange Commission (SEC) issued proposed rules which, if finalized, would change disclosures of cybersecurity incidents and risk management. The proposed rules apply to public companies that are subject to the Securities and Exchange Act of 1934.
The rules are intended to standardize disclosures about cybersecurity risk management, strategy, governance and incident reporting. They require periodic disclosures about a company’s policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise and oversight of risk.
The proposed rule may be accessed by clicking here.