SEC Issues Proposal on Cyber Risk Management, Incident Reporting

A new proposal by the Securities and Exchange Commission today would create new requirements for public companies regarding the disclosure of cybersecurity incidents. Among other things, the SEC would amend Form 8-K to require that registrants “disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident.”

The proposal would also require enhanced and standardized disclosure of cyber risk management, strategy and governance practices as part of various filings. Specifically, firms would be required to describe their policies and procedures for the identification and management of cyber risks, provide information about the board’s oversight of and management’s role in cybersecurity risk, and disclose whether any member of the board has expertise in cybersecurity. Comments on the proposal will be due 60 days after publication in the Federal Register.