As anticipated the SEC is now proposing to require public Investor Owned Utilities (IOU) to add more "cybersecurity controls" to the workload of their compliance and security personnel. It's conceivable that an IOU could be subject to 3 regulatory regimes, with regard to cybersecurity controls and practices, NERC, FERC and now the SEC, in addition to any local, State regulatory requirements - and each could specify different requirements that need to be followed. Welcome to the new world of cybersecurity compliance.Â
Specifically, the proposal would:
â—Ź Require current reporting about material cybersecurity incidents on Form 8-K;
â—Ź Require periodic disclosures regarding, among other things:
o A registrant’s policies and procedures to identify and manage cybersecurity risks;
o Management’s role in implementing cybersecurity policies and procedures;
o Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
o Updates about previously reported material cybersecurity incidents; and
â—Ź Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).