SEC Proposes More Cybersecurity Reporting for Public Companies

Just one month after proposing new cybersecurity rules to strengthen technology infrastructure in U.S. securities markets, the Securities and Exchange Commission unveiled new rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident disclosure by public companies.

According to a fact sheet published on the SEC website, the amendments are designed to better inform investors and provide timely notification of material cybersecurity incidents.

As stated on the SEC fact sheet: “Consistent, comparable, and decision-useful disclosures would allow investors to evaluate registrants’ exposure to cybersecurity risks and incidents as well as their ability to manage and mitigate those risks and incidents.”

The proposed amendments would require, among other things, current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. This would be accomplished by:

• Amending Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident.
  • The SEC notes that the four business days is after the registrant’s “determination of a material cybersecurity incident” not four business days after discovery. Further, the SEC expects public companies “to be diligent in making a materiality determination”;
  • Materiality is defined as that in which “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.
• Adding new to Regulation S-K and Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate; and
• Amending Form 6-K to add “cybersecurity incidents” as a reporting topic

The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks. Specifically, the proposal would:

• Add to Regulation S-K and of Form 20-F to require a registrant to:
  • Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation; and
  • Require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.
• Amend Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. Proposal would require disclosure in annual reports and certain proxy filings if any member of the registrant’s board of directors has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise.

The notice of the proposed rules and amendments was released on March 9, 2022. The public comment period will remain open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

For more information about the proposed regulations or public company cybersecurity practices in general, contact us. We are here to help.

© 2022