Recently, SEC Chair Gary Gensler delivered a speech about cybersecurity and a section of that speech was devoted to what public companies now disclose – and would be disclosing once the SEC ultimately adopts new cyber disclosure rules that it plans to propose in the near term – about their cybersecurity practices and incidents.
Here are three themes Chair Gensler highlighted in addressing potential SEC rulemaking for public companies on cybersecurity:
1. Rule proposals may include practices with respect to corporate cybersecurity governance, strategy, and risk management.
2. Cyber risk disclosure should be presented in a consistent, comparable, and decision-useful manner across companies.
3. The SEC Staff is considering whether – and how – to update disclosures to investors when cyber events have occurred.