Increasingly, the Federal government implements a rule for government contractors which then makes its way in some form into all of US industry.  Cybersecurity regulations, mandating that government contractors, grant and agreement holders, and their subcontractors, maintain certain security controls and report on cyber incidents, have been in effect for a number of years.  Indeed, Deputy Attorney General Lisa Monaco announced a Civil Cybersecurity Fraud initiative to go after government contractors, grant and agreement holders that falsely represent the cybersecurity of their products and services or the state of their compliance with cybersecurity requirements in seeking or performing government contracts.  With a reported 1885% increase in ransomware attacks and high profile cyber events such as Colonial Pipeline in 2021, therefore, it is not surprising that the Securities and Exchange Commission (SEC) is making the move to require public companies to increase their cybersecurity activities and to report cyber incidents so investors have greater insight into their investments.

On March 23, 2022, the SEC issued a proposed rule to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies.”  The proposed rule also would require public companies to make periodic disclosures about their policies and procedures, and board and company managers’ roles, to identify and manage their cybersecurity risks. Where cybersecurity incidents have been reported, the proposed rule would seek further disclosure through Inline eXtensible Business Reporting Language.

Comments on the proposed rule may be submitted electronically or in hard copy and should reference the rulemaking, File Number S7-09-22, and be submitted by May 9th:

For further details on the proposed rulemaking, read Stinson’s recent alert, SEC Proposes Public Company Cybersecurity Disclosure Rules.