Companies should get ahead of the curve and be mindful that incident disclosure obligations will become a major priority, even when doing so might harm the efforts of law enforcement.

October 6, 2022

SEC Cybersecurity Disclosure Rules: What’s Coming and Who’s Reacting

Below is an excerpt from ISS Corporate Solution’s recently released paper “SEC Cybersecurity Disclosure Rules: What’s Coming and Who’s Reacting”. The full paper is available for download from the ISS Corporate Solutions (ICS) online library.


The Securities and Exchange Commission is preparing to release a new set of rules requiring public companies to become much more transparent about how they manage cyber security risk. Comments submitted on the proposed regulations reflect concerns that some of the revised rules may conflict with state laws and could force the premature disclosure of a cybersecurity incident.

The proposed rules aim to speed up the disclosure of cybersecurity breaches, increase the amount of data to be disclosed and require information on cybersecurity practices and oversight. These rules focus on four key areas including disclosure of material incidents, the provision of information on a company’s risk-management practices, strategy, and governance as well as the amount of cybersecurity expertise among board members.

Our research show that companies will need to revisit their cybersecurity policies to determine whether they include all the elements that the SEC has deemed important, such as procedures for overseeing cybersecurity risk among third-party service providers. Communications systems and oversight responsibilities will also need to be codified if aren’t already, at both the management board level. Companies without a chief information security officer, or equivalent, should consider whether such a position should be created.

Key Takeaways:

  • Proposal requires companies to report cybersecurity incidents within four business days of determining that they are material
  • Disclosure of cyber risk management, practices to be mandatory under proposed rules
  • SEC suggests a specific director with cybersecurity expertise be appointed to boards
  • Commentators concerned that premature disclosure of cyber incidents may do more harm than good
  • Law enforcement, national security issues raised in comments to SEC
  • CalPERS, voiced wholesale support for every aspect of the proposed rule

By: Paul Hodgson, Senior Editor, ISS Corporate Solutins
Kimberly Manibusan, Executive Director, Cyber Strategy, ISS Corporate Solutions

Share this