As cybersecurity threats to the private and public sectors increase, the government has continued its efforts to enhance cybersecurity outside of government-controlled systems. On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) issued proposed rules regarding cybersecurity risk management, strategy, governance, and incident disclosure for public companies subject to the reporting requirements of the Securities Exchange Act of 1934. These rules are distinct from the February 2022 proposed rules covering registered funds and advisers and are intended to enhance and standardize public companies’ disclosures.
The SEC cited long-standing concerns about the need for companies to maintain secure and reliable information systems, and also highlighted new and increased vulnerabilities and threats such as digitalization, remote work, reliance on cloud and other third-party services, digital and virtual payments, and sophisticated ransomware and malware campaigns. These factors create risk to the overall economy and create costs and consequences for businesses and investors. As a result, the SEC found that “cybersecurity is among the most critical governance-related issues for investors” and that there “may also be a positive correlation between a registrant’s stock price and investments in certain cybersecurity technology.” The SEC further assessed that cybersecurity-related disclosures based on its 2018 Interpretive Release did not follow consistent substantive or procedural standards and were not always distinguished from other, unrelated disclosures.