Mr. Gerding addressed the SEC’s rationale behind releasing the final rule, including “investors’ need for improved disclosure” about cybersecurity considering the greater cybersecurity risks in an increasingly technology-reliant world. He also stressed that, although investors “need consistent and comparable disclosures” about cybersecurity, it would be a “misconception” to think that the Commission is “seeking to prescribe particular cybersecurity defenses, practices, technologies, risk management, governance, or strategy.” Rather, “public companies have the flexibility to decide how to address cybersecurity risks and threats based on their own particular facts and circumstances.”

Given the final rule’s imminent compliance date, Mr. Gerding addressed some of the actions public companies should consider taking, such as consulting with “chief information security officers, other company’s cybersecurity experts and technologists, the disclosure committee, and those responsible for advising them on securities law compliance.” He also stressed the Division’s own “open door policy” with respect to assisting companies with their interpretive questions regarding the final rule’s provisions. Mr. Gerding closed his remarks by reassuring companies that the Division does not “seek to make ‘gotcha’ comments or penalize foot faults.” Rather, he underscores that the SEC’s overarching goal with this rule, as with other rules, is to “elicit tailored disclosures that provide consistent, comparable, and decision-useful information to investors.”

Access the rule on SEC’s website