WASHINGTON – May 9, 2022 – BSA | The Software Alliance today submitted comments to the Securities and Exchange Commission (SEC) on its 33-11038 Proposed Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The proposed rule is intended to better inform investors about a publicly traded company’s cybersecurity risk management, strategy, and governance and to require timely notification of material cybersecurity incidents.

The BSA response argues the SEC should continue to support sound cybersecurity practices, but it should provide tailored exceptions to new disclosure deadlines and should allow reasonable flexibility in incident disclosure to prevent severe unintended consequences. Further, the BSA response argues that if the SEC moves forward, it should provide registrants flexibility in the timing and substance of public disclosures. Finally, BSA’s response requests the Commission to clarify that disclosure requirements do not apply to third-party service providers.

BSA supports the continued strengthening of cybersecurity practices across all sectors of the U.S. economy as well as the SEC’s requirement that registrants disclose information about material events, including material cyber incidents. BSA has consistently advocated policies that will strengthen cybersecurity, as reflected in the BSA Cybersecurity Agenda.

To read the full response, please click here.