Share this article on:
Breaking news and updates daily. Subscribe to our Newsletter
The US Securities Exchange Commission has said it is pushing back finalising changes to how cyber security incidents are disclosed to October 2023.
The proposed changes were first mooted in March 2022 and were originally going to be finalised in April 2023. The aim was to improve reporting regarding cyber risk and improve the transparency of the disclosure process.
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC chair Gary Gensler at the time. “Today, cyber security is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.”
“I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”
The proposed changes to the disclosure rules include building in a four-day disclosure period for “material” incidents, board governance requirements, and increased disclosure when it comes to levels of expertise on boards. More details on risk management were also proposed, as well as aggregation requirements for non-material incidents.
The SEC had proposed changes to risk management procedures for companies in the investment industry as well, including the need to implement established cyber security policies.
“The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification to investors of material cyber security incidents,” the SEC said in its March 2022 proposal document.
One of the possible reasons for the delay is that the FBI has raised concerns over the four-day disclosure period and how that may impact any active investigations into cyber incidents.
Others have raised similar concerns, so it’s likely that the SEC is taking more time to consider how to balance its own rather laudable aims with the requirements of law enforcement agencies and other concerned parties.
Comments powered by CComment