Login
Search
Back

March 14, 2022

U.S. Securities And Exchange Commission Issues New Cyber Reporting Rules For Public Companies

The U.S. Securities and Exchange Commission (SEC) has issued a proposed regulation that would impose current event reporting obligations related to material cybersecurity incidents and periodic reporting requirements related to companies’ cybersecurity risk management to the SEC.

Specifically, according to a fact sheet, the preliminary rule would require public companies to:

  • Disclose information about material cybersecurity incidents within four days after a business determines it has experienced a material incident;
  • Provide updated disclosure about material changes, additions, or updates related to material cybersecurity incidents previously disclosed;
  • Describe the company’s policies and procedures for the identification and management of cybersecurity risks;
  • Provide disclosures about the company board’s oversight of cybersecurity risk and disclosures about management’s role and expertise in assessing and managing cybersecurity risk and in implementing cybersecurity policies; and
  • Disclose any board member(s) with expertise in cybersecurity

Comments are due to the SEC by May 9, 2022.

In related news, both the U.S. House and Senate approved key provisions of the Cyber Incident Reporting for Critical Infrastructure Act  as part of the omnibus spending bill. The bill requires companies in critical infrastructure sectors to report potential hacks or ransomware to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours (or 24 hours for ransomware payments).

President Joe Biden already has signed the omnibus into law.

“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” said CISA Director Jen Easterly. “This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims. CISA is committed to working collaboratively and transparently with our industry and federal government partners in order to enhance the security and resilience of our nation’s networks and critical infrastructure.”

Related Posts

MSCI offers knowledge and thought leadership, data and education for operational efficiency, industry advocacy, and an environment for efficient debate, discussion and learning.

Benefits of Membership
Contact Us
Facebook Twitter Youtube Linkedin
Copyright © 2025 MSCI All Rights Reserved

To search, type what you're looking for and results will appear automatically