On 09 March 2022, the US Securities and Exchange Commission (SEC) proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. These rules are intended to enhance and standardize cybersecurity disclosures, and, if adopted in their current form, would require public companies to disclose cybersecurity-related policies, procedures and all material cybersecurity incidents.
As predicted in our Connect on Tech discussion in March, the U.S. Securities and Exchange Commission (“SEC”) is ramping up its examination and enforcement focus on cybersecurity at financial institutions, including scrutiny on actual implementation and deployment of published procedures in response to discovery of cyber breach incidents. Furthermore, the SEC appears to signal its expectation that multi-factor authentication (“MFA”) for email accounts containing sensitive client and customer information should be in place.