While the SEC has been pushing public companies to improve their cybersecurity, minimal adoption of stronger cybersecurity rules has led the agency to draft new rules requiring more formal cybersecurity reporting and disclosure. The SEC proposal outlined several requirements that are designed to improve cybersecurity awareness and reporting for corporate executives and board members. The first is cybersecurity incident reporting, including current reporting about material incidents and periodic reporting about previous incidents. The second requirement is cybersecurity policies such as periodic reporting about policies and procedures to identify and manage risks. The third proposal is management requirements including management’s role and expertise in assessing and managing risk and management’s role and expertise in implementing policies and procedures. The final requirement is board oversight such as reporting on how the board of directors performs oversight on cybersecurity and disclosure of the board of directors’ cybersecurity expertise if any.
Finsum:The SEC recently drafted new cybersecurity rules for companies, including incident reporting, policies, management requirements, and board oversight.