On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. The proposed rules would require, among other things, periodic disclosures about a company's policies and procedures to identify and manage cybersecurity risks.
Cybersecurity disclosure requirements
The SEC's fact sheet notes that the proposed rules would:
- Require current reporting about material cybersecurity incidents on Form 8-K;
- Require periodic disclosures regarding, among other things:
- A registrant's policies and procedures to identify and manage cybersecurity risks;
- Management's role in implementing cybersecurity policies and procedures;
- Board of directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents; and
- Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
The requirements would follow earlier SEC guidance on cybersecurity reporting for public companies issued in 2011 and 2018, According to the SEC, the proposed rules are "designed to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents."
The new proposed rules would require public companies to:
- Disclose information about a material cybersecurity incident within four business days after the company determines that it has experienced a material cybersecurity incident;
- Provide updated disclosures related to previously disclosed cybersecurity incidents;
- Provide a disclosure when "a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate";
- Describe the company's cybersecurity policies and procedures, specifically those for the identification and management of risks, and describe whether the company considers cybersecurity as part of its business strategy, financial planning, and capital allocation
- Disclosure of the board's oversight of cybersecurity risk and management's role and expertise in assessing and managing cybersecurity risk and implementing policies and procedures
Form 8-K, Regulation S-K, and Form 6-K, and Form 20-F would all be amended to effectuate these requirements. Comments are due by May 9, 2022. Comments can be submitted via the SEC's internet comment form, by mail, or via email. The comments will be available on the SEC's website.
In the past several years, the SEC has made inadequate cyber disclosures an enforcement priority, often taking issue with the nature and degree of public disclosures of cybersecurity incidents. In 2018, the entity formerly known as Yahoo! Inc. agreed to pay a $35 million penalty to settle charges that it misled investors by failing to adequately disclose a data breach involving the theft of millions of users' personal data. Last year, Pearson plc agreed to pay $1 million to settle charges that it misled investors by failing to adequately disclose a cybersecurity breach involving the theft of millions of student records and information.
As we noted last month, the SEC also issued a proposed rule on cybersecurity risk management for registered investment advisers and investment companies.
With the continuing surge of cybersecurity incidents, the focus on the issue by the SEC also is unlikely to abate.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years.