SEC proposes new rules and amendments regarding cybersecurity.
The US Securities and Exchange Commission (SEC) has proposed new rules and amendments for public companies regarding cybersecurity. The SEC stated that the proposed rules and amendments include reporting about material cybersecurity incidents on Form 8-K, requiring periodic disclosures regarding “registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk, and updates about previously reported material cybersecurity incidents,” and adds the requirement of cybersecurity disclosures being presented in Inline eXtensible Business Reporting Language (Inline XBRL).
The American Council of Life Insurers (ACLI) responded to the proposal, urging the SEC to ensure that all cybersecurity proposals should be in alignment with current cybersecurity frameworks. The company stated, “Specific items that would benefit from alignment include: (1) notice timeframes; (2) the definition of what constitutes an incident, and when it arises to the level of a reporting requirement; (3) specified coordination among regulators, as where a company has notified its primary regulator; and (4) exceptions for law enforcement investigations.”
The Software Alliance (BSA) has also responded to the proposal, urging the SEC to “continue to support sound cybersecurity risk management” by providing tailored exceptions to new disclosure deadlines, allowing more reasonable flexibility in material cyber incident disclosure, reducing the required information reported by registrants on form 8-K if it requires public disclosure, and clarifying that the incident disclosure requirement only applies to companies affected by a material cybersecurity attack, not third party service providers.
The Digital Directors Network has also responded in support of the proposal, stating “strong support for the broader proposal, especially Item E. We’ve already been working to advance this issue over the last five years and our support and comments come from our depth of experience and informed insights on this issue. We are America’s leader in digital and cyber risk governance, and your proposal has the strong support of the more than 700 technology and cyber leaders who are our members.”