Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

SEC announces delay in finalising new cyber security disclosure rules

The US Securities Exchange Commission has said it is pushing back finalising changes to how cyber security incidents are disclosed to October 2023.

user icon David Hollingworth
Mon, 03 Jul 2023
SEC announces delay in finalising new cyber security disclosure rules
expand image

The proposed changes were first mooted in March 2022 and were originally going to be finalised in April 2023. The aim was to improve reporting regarding cyber risk and improve the transparency of the disclosure process.

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC chair Gary Gensler at the time. “Today, cyber security is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.”

“I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”

The proposed changes to the disclosure rules include building in a four-day disclosure period for “material” incidents, board governance requirements, and increased disclosure when it comes to levels of expertise on boards. More details on risk management were also proposed, as well as aggregation requirements for non-material incidents.

The SEC had proposed changes to risk management procedures for companies in the investment industry as well, including the need to implement established cyber security policies.

“The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification to investors of material cyber security incidents,” the SEC said in its March 2022 proposal document.

One of the possible reasons for the delay is that the FBI has raised concerns over the four-day disclosure period and how that may impact any active investigations into cyber incidents.

Others have raised similar concerns, so it’s likely that the SEC is taking more time to consider how to balance its own rather laudable aims with the requirements of law enforcement agencies and other concerned parties.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.