On June 11, 2021, the US Securities and Exchange Commission (SEC) announced that it would focus on cybersecurity disclosures made by public companies as part of its regulatory agenda. Given the SEC’s continued interest in cybersecurity issues, high-profile ransomware attacks and executive orders issued by President Biden, it is no surprise that the SEC is focused on taking an increasingly active role in a whole-of-government response to cybersecurity threats. Although it will be some time before a final rule on cybersecurity risk disclosures is issued, a proposal from the SEC is expected in October 2021. In the meantime, public companies should begin preparing for what is likely to be a new SEC rule mandating cybersecurity disclosures.
This Legal Update provides background on the new SEC chairman and the SEC rulemaking process, the SEC’s prior guidance on cybersecurity disclosures and steps that public companies can begin taking now to prepare for enhanced SEC oversight of cybersecurity disclosures.