"SEC Proposes New Cybersecurity Rules for Public Companies"

The US Securities and Exchange Commission (SEC) recently proposed new rules for public companies, which standardize event reporting and necessitate regular reporting on cybersecurity policies and procedures. The new rules are intended to better inform investors about a registrant's risk management, strategy, and governance, as well as to provide timely notification of material cybersecurity incidents, according to the SEC. The SEC proposes amendments to require timely reporting of significant cybersecurity incidents. The agency also proposes requiring periodic disclosures about a registrant's cybersecurity policies and procedures, management's role in implementing cybersecurity policies and procedures, and the board of directors' cybersecurity expertise and oversight of cybersecurity risk. If the new cybersecurity rules are passed, companies must report within four business days of discovering a material event. A determination, on the other hand, is not the same as the date of discovery. According to the proposal, reporting cannot be delayed while the company conducts internal investigations. In addition, the proposal includes non-inclusive examples of material events such as an unauthorized incident that jeopardized the confidentiality, integrity, or availability of an information asset (i.e., data, system, or network). Another material event would be one in which an unauthorized party accessed, or a party exceeded authorized access, and altered or stole sensitive business information, personally identifiable information, intellectual property, or information, resulting in, or potentially resulting in, a loss or liability for the registrant. This article continues to discuss the new security rules proposed by the SEC for public companies. 

Security Intelligence reports "SEC Proposes New Cybersecurity Rules for Public Companies"