Further, the proposal would require a company to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether it considers cybersecurity as part of its business strategy, financial planning and capital allocation. The proposal would also require disclosure about a board's oversight of cybersecurity risk, and management's role and expertise in assessing and managing cybersecurity risk and implementing the company's cybersecurity policies, procedures and strategies, the SEC noted in a fact sheet.
"Today, cybersecurity is an emerging risk with which public issuers increasingly must contend," SEC Chairman Gary Gensler said in a news release. "Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable and decision-useful manner."
In her dissenting statement, Ms. Peirce said that while the SEC regulates public companies' disclosures, it does not regulate their activities. "While the integration of cybersecurity expertise into corporate decision-making likely is a prudent business decision for nearly all companies, whether, how and when to do so should be left to business — not SEC — judgment," Ms. Peirce said. "Regulators may have a role to play in working with companies on cybersecurity, but we are not the regulators with the necessary expertise."
The comment period will be open for 60 days following publication on the SEC's website or 30 days upon publication in the Federal Register, whichever period is longer.
At a meeting last month, the SEC approved a proposal to require investment advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm clients and investors. The proposed rules would also require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the commission on a new confidential form.