On March 9, 2022, the SEC proposed a new rule to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance. If approved, public companies subject to the reporting requirements of the Securities and Exchange Act of 1934 will be subject to new disclosure requirements regarding (1) Cybersecurity Incidents, and (2) Cybersecurity Risk Management, Strategy, and Governance.Beginning with the incident disclosure requirements, the proposed rule amends Form 8-K to require disclosure of material cybersecurity incidents within four (4) days of identifying that a material event has occurred. The proposed rule also adds new items to Regulation S-K and Form 20-F that require public companies to provide updated disclosures relating to previously disclosed cybersecurity incidents. Further, these additions will require disclosure when a series of previously undisclosed and individually immaterial incidents become material in the aggregate. Finally, the proposed rule amends Form 6-K to add cybersecurity incidents as a reporting topic.
The proposed rule would also create a swath of new reporting requirements regarding cybersecurity risk management, strategy, and governance. Specifically, the amendments to Regulation S-K and Form 20-F would require a registrant to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats. This includes disclosure of whether the company considers cybersecurity as part of its business strategy, financial planning, and capital allocation, and how management implements cybersecurity policies, procedures, and strategies.
Additionally, the proposed rule would obligate covered companies to provide specific disclosures addressing board involvement and knowledge of cybersecurity issues and planning. Specifically, companies would be obligated to disclose information about the board’s oversight of cybersecurity risk. The proposed rule would also amend Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. This would include disclosures in annual reports and certain proxy filings if any member of the board has expertise in cybersecurity, their name(s), and any details necessary to describe the nature of the relevant expertise.
The proposed rule is open to public comment until at least May 8, 2022, and may be revised prior to final approval.
While many companies already provide cybersecurity related disclosures, the proposed rule provides enhanced clarity and standardization of what information is important to businesses and investors alike. Given the SEC’s recent focus on cybersecurity, we expect to see more related developments in the near future.