Skip to content

Search the site

Tough new SEC cyber risk disclosure rules have left kicking and screaming in their wake

The US Chamber of Commerce had fumed that the SEC’s “unprecedented micromanagement of companies’ cybersecurity programs is misguided"

New SEC cybersecurity rules include disclosure details on incidents, board of directors

The US’s markets watchdog has adopted controversial new cybersecurity disclosure rules that will force listed companies to detail the Board of Directors’ (BOD) oversight of cyber risk – and even compel the disclosure of “material” cybersecurity incidents within four days. Initial proposals that would have forced companies to specifically detail whether they have a CISO and who they report to have been dropped to "streamline" the rules.

The Securities and Exchange Commission (SEC) said on July 26 that it is introducing the rules to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies” – and emphasised that such disclosures will need to be made publicly available in machine-readable inline XBRL format.

See also: Expect to hear a lot more about XBRL...

This post is for subscribers only


Already have an account? Sign In