SEC’s issuer proposal on cyber security risk ‘a step further than Sarbanes Oxley’

Dan Barnes

US market regulator, the Securities and Exchange Commission (SEC), has proposed amendments to its rules to enhance and standardise disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

Gary Gensler

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC chair Gary Gensler. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”

Hester Peirce, commissioner, SEC.

However there was dissent in the SEC, with commissioner Hester Peirce noting, “Such precise disclosure requirements look more like a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate. The closest analogue is the Sarbanes-Oxley Act disclosure requirement relating to audit committee financial experts. Congress mandated that foray into corporate governance, which, at least, was directly related to the reliability of the financial statements at the heart of our disclosure system. We are going a step further this time by requiring detailed disclosure about discrete subject matter expertise of directors and employees who are not necessarily executive officers or significant employees, and about the frequency of interactions between the board and management on a specific topic.”

The proposed amendments would require, among other things, that public companies provide current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.

The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.

©Markets Media Europe, 2022