The U.S. Securities and Exchange Commission (SEC) proposed new regulations to address cybersecurity incidents in public companies. In a press release dated March 9, 2022, the SEC proposed renewed rules for companies and the need for disclosure of attacks among others. According to the reports, amendments to the existing rules were proposed by the SEC as it lacked adequate measures for companies in curbing risk, preparing strategies to thwart cybercrimes, and maintaining transparency in disclosing attacks.
The proposed rules by the SEC
The previous rules lacked a comprehensive action plan in addressing the increasing online crimes against companies. Hence, the new amendment includes the rules related to reporting cybersecurity incidents, giving periodic reports about recent progress made in previous cases, periodic reporting of registrant’s policies, and informing about the procedures the company has taken to identify and manage similar cybersecurity incidents.
The aim of the proposed amendment
attacks can have systemic effects on the economy as a whole, including serious effects on critical infrastructure and national security.” The investors will have a better understanding of the cybersecurity measures, and actions after the reporting made by companies, when this proposal is followed. The details collected would include the registrant’s risk management activities and governance. This would also help send regular notifications about cybersecurity incidents to the investors.
Enhanced and standardized disclosures about cybersecurity threats
The proposed rule as mentioned on the fact sheet outlines the need for reporting cybersecurity incidents on Form 8-K. The proposal further asks for details about the management’s role in implementing cybersecurity policies and the board of directors’ cybersecurity expertise. Their missing of following the standard action plan is also to be notified.
The urgency of cybersecurity in companies
The proposal highlighted how companies have suffered financial losses in the recent past.
It read, “In a 2019 survey, chief executive officers of the largest 200 global companies rated ‘national and corporate cybersecurity’ as the number one threat to business growth and the international economy in the next 5 or 10 years.”
Such findings among others across the globe have created a need for an overall action plan that not only includes reporting cybercrime but also taking all the necessary steps in curbing further risk with proper data disclosure.