SEC weighs reporting requirements for publicly traded companies

The amendments follow a similar proposal the agency released last month aimed at tightening security for investment firms and advisers.
Gary Gensler, Chair of the Securities and Exchange Commission, takes his seat before the start of the Senate Banking, Housing and Urban Affairs Committee hearing on Sept. 14, 2021. (Photo by BILL CLARK/POOL/AFP via Getty Images)

The Securities and Exchange Commission Wednesday proposed new cybersecurity risk management and disclosure rules for publicly traded companies, at the center of which is a requirement that companies report cybersecurity incidents to the agency within four days of determining one occurred.

The proposed rules would also require that publicly traded companies periodically disclose their policies for managing and identifying cybersecurity risk, management’s role in managing cybersecurity and the board of directors’ oversight role and cybersecurity expertise.

“A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” SEC Chair Gary Gensler said in a statement.

The amendments follow a similar proposal released by the agency last month aimed at tightening security requirements for investment firms and advisers.


The agency’s actions come as Congress pushes to define reporting requirements through legislation. The Senate last Tuesday passed legislation that would require critical infrastructure owners and operators as well as federal agencies to report attacks to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency within 72 hours. The House is expected to vote on that legislation on Wednesday, after lawmakers folded it into a broader omnibus spending bill.

The latest SEC proposal, which advanced with a 3-1 vote, will now go to a 60 day public comment period before final approval.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts