This article from SEC Chair Gary Gensler contains some valuable insights into how public companies should consider preparing for SEC changes with regard to cybersecurity requirements. Here is a short excerpt from Secretary Gensler's guidance:
Team Cyber
Adopting a heightened posture is a task that requires all of us. Last year, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), said that “cybersecurity is a team sport.” “Each and every one of us are a member of Team Cyber,” she said.[4]
Folks from the private sector—the folks that many of you in the audience represent—are on Team Cyber’s front lines.
Policy
Given the SEC’s mission, and the evolving cybersecurity risk landscape, when considering work at the SEC, I think about it in three ways:
- cyber hygiene and preparedness;
- cyber incident reporting to the government; and
- in certain circumstances, disclosure to the public.
Public Companies
The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.
Disclosure regimes evolve over the decades. Cybersecurity is an emerging risk with which public issuers increasingly must contend.
To this end, in March, the Commission proposed rules that would enhance issuers’ cybersecurity disclosures in two key ways.[12]
First, it would require mandatory, ongoing disclosures on companies’ governance, risk management, and strategy with respect to cybersecurity risks. This would allow investors to assess these risks more effectively. For example, under the proposed rules, companies would disclose information such as: