According to a recently-released meeting agenda, the Securities and Exchange Commission’s (“SEC”) upcoming July 26, 2023 meeting will include consideration of adopting rules to enhance disclosures regarding cybersecurity risk management, governance, and incidents by publicly traded companies.
The SEC initially proposed these rules in March 2022. If adopted as proposed, the new rules would require publicly traded companies to publicly disclose a cybersecurity incident within four business days of determining that the incident is material, and to provide disclosure in periodic reports about certain cybersecurity governance practices. The proposed rule has been subject to two comment periods; after the original comment period ended in May 2022, the SEC re-opened the comment period between October-November 2022. The SEC is considering additional rules that implicate cybersecurity considerations and are in various phases of comment and revision for investment advisors, broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.