The US Securities and Exchange Commission (SEC) has ratified rules requiring registrants to disclose material cybersecurity incidents, as well as risk management, strategy, and governance information on an annual basis. These rules will require public companies to disclose the material aspects of cybersecurity incidents, including their nature, scope, and timing, as well as its likely material impact on the registrant. The rules will also require companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. Gary Gensler, Chair at the SEC, acknowledged that many public companies already provide cybersecurity disclosure to investors, but suggested both parties would benefit if this disclosure were made in a “more consistent, comparable, and decision-useful way”. He added that by helping to ensure that companies disclose material cybersecurity information, these rules will “benefit investors, companies, and the markets connecting them”. The SEC has also proposed new rules to address risks to investors from conflicts of interest associated with the use of artificial intelligence.
We @SECGov adopted rules regarding cybersecurity disclosures by public companies.
These rules will enhance & standardize disclosures to investors with regard to public companies’ cybersecurity practices as well as material cybersecurity incidents.
— Gary Gensler (@GaryGensler) July 26, 2023
