SEC to introduce mandatory XBRL cybersecurity reporting for public companies
The US Securities and Exchange Commission (SEC) has proposed significant new rules on cybersecurity risk management, strategy, governance, and incident reporting by public companies. As Chair Gary Gensler observed in his statement, “over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend,” and investors want to know more about how this is being managed.
While many companies already provide cybersecurity disclosures, the SEC seeks to ensure that this information is consistent, comparable and decision-useful. Essential to achieving those goals is the requirement that disclosures be made in Inline XBRL, which will also ensure that this data can also be analysed alongside the wide range of other information reported to the SEC in XBRL.
The proposal has two key elements: “First, it would require mandatory, ongoing disclosures on companies’ governance, risk management, and strategy with respect to cybersecurity risks. This would allow investors to assess these risks more effectively,” explains Gensler.
“Second, it would require mandatory, material cybersecurity incident reporting. This is critical because such material cybersecurity incidents could affect investors’ decision-making.” The proposal sets out when and what information about cybersecurity incidents companies should disclose in a current report, such as on Form 8-K. It also would require updates in periodic reports to give investors more complete information on previously disclosed, material cybersecurity incidents.
The proposal will be open for public comment for 60 days following its publication on the SEC website, or 30 days after it is published in the Federal Register, whichever ends later. And you’re not suffering from déjà vu – the SEC also recently issued proposed rules on cybersecurity for registered investment advisors and funds, which include disclosures in Inline XBRL and are still out for comment.