Cyber security is one of the biggest issues in the financial world, and the SEC is announcing potential rule changes that are designed to increase the transparency of disclosures related to cyber security. That way, investors have the information they need to appropriately manage their risk.
Public companies are required to comply with reporting requirements as laid out in the Securities Exchange Act of 1934. Now, this information includes cybersecurity disclosures. Investors need to understand what types of risks they might be facing if they invest with certain companies, and these companies need to disclose information about their cybersecurity practices, particularly with the ever-present threat of viruses and malware.
What Do Investors Need To Know?
The SEC has proposed a variety of amendments with the goal of keeping investors in the loop about different cybersecurity practices of different companies. Furthermore, the SEC wants to make changes to make it easier for investors to learn about cybersecurity incidents that take place with publicly traded companies.
Some of the disclosures that these rule changes might require include:
Companies would be required to submit regular reports about various cybersecurity incidents that have an impact on the company’s operations.
Entities would need to provide updates about previously reported cybersecurity incidents. That way, investors understand what steps companies are taking to try to rectify the situation.
Cybersecurity information in disclosures would need to be presented in a format that is easy for investors to download, such as XBRL. This will make it easier for people to download into a spreadsheet.
Businesses would also need to provide information about how different cybersecurity risks might impact the securities offered by the business.
All registrants will be required to provide periodic disclosures about different policies and procedures. These disclosures would need to cover cybersecurity risks, the role that management is playing in implementing a variety of cyber security procedures and policies, and the expertise of the individual members of the board related to cybersecurity.
There have been a number of high-profile cyberattacks during the past few years, and they appear to be hitting just about every industry. These attacks can have a significant impact on the ability of a company to generate revenue, and the SEC believes that it is important for investors to know about these risks. That is why these rule changes have been proposed.
These Amendments Are Open for Public Comment
Right now, these are just proposals, and the SEC is curious about what people think the impact of these rules might be. The public may submit comments and feedback about these rules for 30 days after the changes have been published on the Federal Register. Then, the SEC will make a final decision about what to do with the proposals. Anyone who is interested in learning more about these changes can take a look at the rule on the Federal Register, and they can visit the section on the SEC’s Website on Proposed Rules.