This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| less than a minute read

SEC Floats Draft Cyber Reporting Rules for Public Companies

Under draft rules announced in early March, the SEC would require reporting of material cyber security incidents, as well as updates on previously disclosed incidents and details of their cyber defense strategy and expertise.  

The SEC says many public companies already provide disclosures of these kinds, and that regulating them would allow investors to compare information between companies more easily. Presumably, gathering the new details would fall to those persons who already manage compliance disclosures such as those under Sarbanes-Oxley and existing securities reporting laws.  

There will be a public comment period on the draft regulations before they take effect.  

Why it Matters

The idea that companies should be compelled to share cyber security information with the public would bring cyber issues into the mainstream of reporting and compliance. If public companies face compulsory reporting, it is also likely that public disclosure of such issues will become more common (and assume a more standardized form) among all companies.  

The U.S. Securities and Exchange Commission last week rolled out a host of proposed new cybersecurity rules for public companies, including a requirement to disclose material cybersecurity incidents within four days.


insights, hill_mitzi, data security and privacy