Investments come with innate risks that all investors are aware of. However, problems arise when investors don’t know what they’re stepping into, and the Security and Exchange Commission (SEC) proposed rules aim to address this.
On March 9, 2022, the SEC proposed rules that would mandate cybersecurity disclosures by public companies.
Here is the SEC Press Release
These changes make it easier for investors to evaluate public companies’ cybersecurity postures, practices, and incident reporting.
The SEC has previously issued interpretive guidance regarding its existing rules and how they should be interpreted in connection with cybersecurity threats and incidents. In contrast, the recently proposed rule would establish concrete disclosure requirements related to cybersecurity incidents, monitoring, and risk management.
The proposed rule also aims to make a move away from the previous administration’s principles-based approach toward a more prescriptive rule-making method.
The proposed SEC requirements aim to enhance public companies’ disclosures in two ways:
The previous disclosure on cybersecurity risks and incident reporting remains:
When public companies are obliged to share material information with investors, it must be accurate and complete. Moreover, the disclosures must be timely. This is what the current proposal intends to achieve.
Under the proposed rule, companies would be required to disclose material cybersecurity incidents on Form 8-K within four business days, and those events would also require disclosures in subsequent Forms 10-Q and 10-K.
By adding new Item 1.05 to Form 8-K, the proposed modifications would compel current reporting of material cybersecurity incidents.
Item 1.05 would require firms to disclose material cybersecurity incidents within four business days, just like practically all other Form 8-K items.
The date of the materiality determination, rather than the date of the incident’s discovery, is the trigger date for the disclosure, albeit corporations must make a materiality determination as soon as reasonably possible after discovery.
The following information would be required to be disclosed:
By introducing new Item 106(d) of Regulation S-K, which would require companies to disclose any material changes, additions, or updates to information required to be disclosed pursuant to proposed Item 1.05 of Form 8-K in the company’s Form 10-Q or Form 10-K for the covered period, the proposed amendments would add additional disclosure requirements to public companies’ quarterly and annual reports.
Furthermore, public filers would be required to disclose their cybersecurity risk and threat management policies and processes, if any exist.
Public filers would also be required to explain whether they hire assessors or other third-parties to help with risk assessment, as well as any risk policies or procedures related to the use of third-party service providers.
The additional items in proposed Item 106(b) would necessitate disclosure regarding:
Proposed Item 407(j) of Regulation S-K would require firms to disclose the cybersecurity experience of their directors, if any, on an annual basis.
If any member of the board of directors possesses cybersecurity experience, the corporation would be required to publish the director’s name as well as any further information needed to adequately define the nature of the director’s expertise.
The proposed rule would introduce criteria for determining cybersecurity expertise, such as whether the director has work experience in cybersecurity, whether the director has obtained a cybersecurity certification or degree, and whether the director has knowledge, skills, or other background in cybersecurity.
Proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act of 1933, as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407(j).
Item 106(c) of Regulation S-K, as proposed, would require disclosure of the board of directors’ and management’s roles in cybersecurity governance.
Public filers would be required to report whether the board of directors, as a whole, certain board members, or a board committee is responsible for overseeing cybersecurity risks.
A discussion of the processes by which the board is informed about cybersecurity risks, the frequency of cybersecurity discussions, and whether and how the board or responsible board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight would be required as part of the disclosure.
Public filers would have to disclose whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, as well as the relevant skills of such individuals, in terms of management.
Public filers would also have to disclose whether they have designated a chief information security officer (CISO) or someone in a similar position, and if so, who that individual reports to within the company’s organizational chart, the relevant expertise of any such person, the processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents, and whether and how frequently such incidents occur.
Equivalent adjustments would be made to Form 20-F to mandate similar disclosures on a yearly basis.
The proposed standards would require all disclosures to be tagged in Inline XBRL, including block text tagging of narrative disclosures and detail tagging of quantitative numbers given within the narrative disclosures.
The proposed SEC cybersecurity enforcement is subject to public comment until 30 days following its publication in the federal registrar, or May 9, 2022 (whichever is later). After that, the SEC will consider public comments before voting on a final regulation.
You can submit a comment using the following methods:
Note: All submissions must refer to File number S7-09-22.
|Cyvatar allows startups and SMBs to achieve cybersecurity confidence with their all-in-one security operations platform.
Create a free account today, identify your organization’s security gaps and learn how Cyvatar can solve your security challenges- https://clarity.cyvatar.ai/freemium
Circa Las Vegas
Thurs. Aug 5th
Cybersecurity Reunion Pool Party at BlackHat 2021