SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance..

[David H. Lipman]

SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

Quote

FOR IMMEDIATE RELEASE
2022-39

Washington D.C., March 9, 2022 —

The Securities and Exchange Commission today proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

"Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs," said SEC Chair Gary Gensler. "Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting."

The proposed amendments would require, among other things, current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors' oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.

The proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.

The proposing release will be published on SEC.gov and in the Federal Register. The comment period will remain open for 60 days following publication of the proposing release on the SEC's website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

https://www.sec.gov/rules/proposed/2022/33-11038.pdf

 

SEC wants public companies to report breaches within four days

 

Quote

The US Securities and Exchange Commission (SEC) has proposed rule amendments to require publicly traded companies to report data breaches and other cybersecurity incidents within four days after they're determined as being a material incident (one that shareholders would likely consider important).

"In some cases, the date of the registrant’s materiality determination may coincide with the date of discovery of an incident, but in other cases the materiality determination will come after the discovery date," the Wall Street watchdog explained.

According to newly proposed amendments to current rules, listed companies would have to provide information in periodic report filings on policies, implemented procedures, and the measures taken to identify and manage cybersecurity risks on Form 8-K.

The amended rules would also instruct companies to provide updates regarding previously reported security breaches.

The SEC wants public companies to share regular disclosures regarding their management's role in implementing cybersecurity procedures and policies, as well as on their board of directors' cybersecurity expertise and oversight of cybersecurity risk.

"We believe that the proposed requirement to file an Item 1.05 Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident would significantly improve the timeliness of cybersecurity incident disclosures, as well as provide investors with more standardized and comparable disclosures," the regulator said [PDF].

Timely disclosure to keep investors informed

These proposed amendments are designed to provide investors with timely notifications of security breaches affecting listed companies and better inform them regarding their cybersecurity risk management and strategy.

If the rules are revised as the SEC wants, the new regulations [PDF] would require disclosing the following information about breaches (if the information is available when the 8-K forms are filed):

• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the registrant's operations;
• Whether the registrant has remediated or is currently remediating the incident.

However, companies affected by a breach are not expected to reveal technical information regarding their planned incident response or details on potential vulnerabilities to impact their response or remediation of the incident.

"Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. A lot of issuers already provide cybersecurity disclosure to investors," SEC Chair Gary Gensler added.

"I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.

"I am pleased to support this proposal because, if adopted, it would strengthen investors' ability to evaluate public companies' cybersecurity practices and incident reporting."

 

 

 

Edited March 12, 2022 by David H. Lipman