The Securities and Exchange Commission is proposing new cybersecurity disclosure rules for public companies. According to the SEC, while public companies have improved their cyber disclosures over time, overall, they have done a poor job of making appropriate disclosures.
Is it a fair assessment by the SEC that companies are doing a poor job? Perhaps. When observing the concern that serious cybersecurity incidents are not being reported, the SEC notes: “Certain cybersecurity incidents were reported in the media but not disclosed in registrant’s filings.” When they were reported, the SEC notes a lack of timeliness, specificity, and consistency.