The SEC recently proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. Specifically, the proposals would:

1. Require current reporting about material cybersecurity incidents on Form 8-K;
2. Require periodic disclosures regarding, among other things:
   1. A registrant’s policies and procedures to identify and manage cybersecurity risks;
   2. Management’s role in implementing cybersecurity policies and procedures;
   3. Directors’ cybersecurity expertise, if any, and the role of the board of directors in overseeing cybersecurity risk; and
   4. Updates about previously reported material cybersecurity incidents; and
3. Require the cybersecurity disclosures to be presented in Inline XBRL.

The SEC stated that “[c]onsistent, comparable, and decision-useful disclosures [are necessary to] allow investors to evaluate registrants’ exposure to cybersecurity risks and incidents as well as their ability to manage and mitigate those risks and incidents.” The comment period for these proposed rules will end 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.