Earlier this year, SEC Chair Gary Gensler proposed new rules about the handling and reporting of cyber risk and breaches. The proposal is trying to bring some consistency and timeliness to reporting because, despite the previous 2011 and 2018 guidance, the reporting was frequently delayed or didn’t have sufficient details.
Primary changes would include a four-day reporting window for material cybersecurity incidents, requirements to update previous disclosures if a set of formerly immaterial incidents become material later, making registrants describe their cybersecurity policies and procedures, as well as how much oversight and knowledge the board has about those procedures and their implementation.
On the surface, these proposed changes may seem a bit draconian, but really that isn’t the case at all. Let’s take a look at why, and what they might really mean to you.