S7-09-22: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

The document acknowledges that cybersecurity incidents involving third-party service provider vulnerabilities are becoming more frequent. The proposed rules require companies to disclose whether they have policies and procedures to oversee and identify the cybersecurity risks associated with their use of third-party service providers. This includes providers that have access to or have information about the company’s customer and employee data.

“The proposed amendments are intended to better inform investors about cybersecurity incidents and the cybersecurity risk management, strategy, and governance of registrants of all types and sizes which are subject to the Exchange Act reporting requirements.”