Security News > 2022 > April > Strengthening the ability of public companies to combat cybersecurity threats

The National Association of Corporate Directors, SecurityScorecard and the Cyber Threat Alliance released a report that examines the U.S. Securities and Exchange Commission's recently proposed rules and amendments on cybersecurity reporting requirements for public companies.

The report concludes that the proposed rules, if enacted as currently drafted, would strengthen the ability of public companies, funds and advisors to combat cybersecurity threats and implement risk mitigation processes.

The report highlights the SEC's increased commitment to cybersecurity, holding more companies accountable, not just for egregious cyber-related violations, but also for misleading public statements about cybersecurity risks and events.

Among the proposed rules include reporting significant cybersecurity incidents to the SEC within 48 hours, implementing written cybersecurity policies and procedures to minimize operational risks, and recordkeeping to include copies of documented annual reviews of cybersecurity policies and procedures in effect over the prior five years.

On March 9, the SEC issued its proposed rules for public companies that include disclosure of any material cybersecurity incidents within four days of discovery, reporting of prior immaterial cybersecurity incidents that become material, and disclosure of policies and procedures to identify and manage cybersecurity risks.

The SEC is considering new measures that would require companies to identify service providers that could pose cybersecurity risks and hold organizations accountable for a service provider's lack of cybersecurity measures.

News URL

https://www.helpnetsecurity.com/2022/04/21/cybersecurity-reporting-public-companies/