Skip to content

menu

Open Legal Blog Archive logo
HomeAboutBlogsFAQsSubmit

SEC Issues Proposed Rules on Public Company Cybersecurity Disclosures

By Edward McNicholas & Kevin Angle on March 17, 2022
cyber-security-4498009_640

On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed updates to its disclosure rules intended to “enhance and standardize” public company disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting (the “Proposed Rules”). The Proposed Rules may require issuers to update their disclosure controls and procedures, in particular with respect to determining the materiality of cybersecurity events and providing prompt disclosure.

The Proposed Rules build on a body of pre-existing SEC guidance regarding cybersecurity disclosures. In 2011, the Division of Corporation Finance issued interpretive guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The SEC followed up that guidance with a 2018 statement on cybersecurity disclosure addressing, among other things, the materiality of incidents, updates to risk factors, and board risk oversight. If adopted, the proposed rules make many of these recommendations express requirements, while adding additional clarity and detail regarding cybersecurity risks and practices that must be reported. While the proposed rules are focused on disclosure, if adopted, they may lead issuers to enhance cybersecurity risk management and oversight, as well as to add directors with expertise in cybersecurity.

For more details, click here to read Ropes & Gray’s client alert on the Proposed Rules.

  • Posted in:
    Privacy & Data Security
  • Blog:
    RopesDataPhiles
  • Organization:
    Ropes & Gray
  • Article: View Original Source

Open Legal Blog Archive, Inc. logo
Seattle, Washington
Copyright © 2026, Open Legal Blog Archive, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo