Tough new SEC cyber risk disclosure rules have left kicking and screaming in their wake
The US Chamber of Commerce had fumed that the SEC’s “unprecedented micromanagement of companies’ cybersecurity programs is misguided"
The US’s markets watchdog has adopted controversial new cybersecurity disclosure rules that will force listed companies to detail the Board of Directors’ (BOD) oversight of cyber risk – and even compel the disclosure of “material” cybersecurity incidents within four days. Initial proposals that would have forced companies to specifically detail whether they have a CISO and who they report to have been dropped to "streamline" the rules.
The Securities and Exchange Commission (SEC) said on July 26 that it is introducing the rules to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies” – and emphasised that such disclosures will need to be made publicly available in machine-readable inline XBRL format.