SEC Adopts Cybersecurity Risk, Incident Disclosure Rules

The US Securities and Exchange Commission (SEC) has ratified rules requiring registrants to disclose material cybersecurity incidents, as well as risk management, strategy, and governance information on an annual basis. These rules will require public companies to disclose the material aspects of cybersecurity incidents, including their nature, scope, and timing, as well as its likely material impact on the registrant. The rules will also require companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. Gary Gensler, Chair at the SEC, acknowledged that many public companies already provide cybersecurity disclosure to investors, but suggested both parties would benefit if this disclosure were made in a “more consistent, comparable, and decision-useful way”. He added that by helping to ensure that companies disclose material cybersecurity information, these rules will “benefit investors, companies, and the markets connecting them”. The SEC has also proposed new rules to address risks to investors from conflicts of interest associated with the use of artificial intelligence. 

The practical information hub for asset owners looking to invest successfully and sustainably for the long term. As best practice evolves, we will share the news, insights and data to guide asset owners on their individual journey to ESG integration.

Copyright © 2024 ESG Investor Ltd. Company No. 12893343. ESG Investor Ltd, Fox Court, 14 Grays Inn Road, London, WC1X 8HN

To Top