SEC: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

In this comment letter, the CAQ provides views to the Securities and Exchange Commission (SEC) related to its Proposed Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.

The CAQ is supportive of the SEC’s desire to implement rules that promote consistent, comparable, and decision useful cybersecurity disclosures and transparency that comes along with it. As domestic and foreign cybersecurity threats evolve, particularly in the remote and hybrid work environments, timely cybersecurity disclosures are becoming increasingly more relevant and useful to investors and other stakeholders in the financial reporting ecosystem. In our letter, we provide information and certain recommendations which would provide for improved clarity of the Proposed Rule related to 1) board of directors expertise and composition, 2) definitional clarity, 3) the aggregation of immaterial undisclosed cybersecurity incidents, and 4) the determination of cybersecurity incident materiality. We believe that improved clarity in these areas will help ensure the Proposed Rule is operational, providing for clear and comparable disclosure by registrants.