Under draft rules announced in early March, the SEC would require reporting of material cyber security incidents, as well as updates on previously disclosed incidents and details of their cyber defense strategy and expertise.
The SEC says many public companies already provide disclosures of these kinds, and that regulating them would allow investors to compare information between companies more easily. Presumably, gathering the new details would fall to those persons who already manage compliance disclosures such as those under Sarbanes-Oxley and existing securities reporting laws.
There will be a public comment period on the draft regulations before they take effect.
Why it Matters
The idea that companies should be compelled to share cyber security information with the public would bring cyber issues into the mainstream of reporting and compliance. If public companies face compulsory reporting, it is also likely that public disclosure of such issues will become more common (and assume a more standardized form) among all companies.