SEC weighs reporting requirements for publicly traded companies

The Securities and Exchange Commission Wednesday proposed new cybersecurity risk management and disclosure rules for publicly traded companies, at the center of which is a requirement that companies report cybersecurity incidents to the agency within four days of determining one occurred.

The proposed rules would also require that publicly traded companies periodically disclose their policies for managing and identifying cybersecurity risk, management’s role in managing cybersecurity and the board of directors’ oversight role and cybersecurity expertise.

“A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” SEC Chair Gary Gensler said in a statement.

The amendments follow a similar proposal released by the agency last month aimed at tightening security requirements for investment firms and advisers.

The agency’s actions come as Congress pushes to define reporting requirements through legislation. The Senate last Tuesday passed legislation that would require critical infrastructure owners and operators as well as federal agencies to report attacks to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency within 72 hours. The House is expected to vote on that legislation on Wednesday, after lawmakers folded it into a broader omnibus spending bill.

The latest SEC proposal, which advanced with a 3-1 vote, will now go to a 60 day public comment period before final approval.