SEC’s new cybersecurity disclosure rules for public companies

latest sec cybersecurity disclosures

SEC’s new cybersecurity disclosure rules for public companies

  Cyvatar | 04/12/2022

Investments come with innate risks that all investors are aware of. However, problems arise when investors don’t know what they’re stepping into, and the Security and Exchange Commission (SEC) proposed rules aim to address this.

On March 9, 2022, the SEC proposed rules that would mandate cybersecurity disclosures by public companies.

Here is the SEC Press Release

These changes make it easier for investors to evaluate public companies’ cybersecurity postures, practices, and incident reporting.

The SEC has previously issued interpretive guidance regarding its existing rules and how they should be interpreted in connection with cybersecurity threats and incidents. In contrast, the recently proposed rule would establish concrete disclosure requirements related to cybersecurity incidents, monitoring, and risk management.

The proposed rule also aims to make a move away from the previous administration’s principles-based approach toward a more prescriptive rule-making method.

The proposed SEC requirements aim to enhance public companies’ disclosures in two ways:

  1. For starters, it would mandate continuing disclosures about a company’s cybersecurity governance, risk management, and strategy. This would make it easier for investors to assess these risks before making an investment.

    Under the proposed rule, companies would be required to provide information like:
  • The responsibility and oversight of cybersecurity risks by management and the board of directors
  • How cyber-threats and incidents are likely to affect the company’s bottom line
  • Whether or not a company’s cybersecurity rules and processes are in place
  1. Second, mandatory and substantial cybersecurity incident reporting would be required. This is critical since historical cybersecurity incidents may have an impact on investors’ decisions.

The previous disclosure on cybersecurity risks and incident reporting remains:

  • Inconsistent
  • Untimely
  • Difficult to locate

When public companies are obliged to share material information with investors, it must be accurate and complete. Moreover, the disclosures must be timely. This is what the current proposal intends to achieve.

Under the proposed rule, companies would be required to disclose material cybersecurity incidents on Form 8-K within four business days, and those events would also require disclosures in subsequent Forms 10-Q and 10-K.

Quick pointers on the new proposed cybersecurity disclosure requirements for public companies:

1. Current Reporting Requirements

By adding new Item 1.05 to Form 8-K, the proposed modifications would compel current reporting of material cybersecurity incidents.

Item 1.05 would require firms to disclose material cybersecurity incidents within four business days, just like practically all other Form 8-K items.

The date of the materiality determination, rather than the date of the incident’s discovery, is the trigger date for the disclosure, albeit corporations must make a materiality determination as soon as reasonably possible after discovery.

The following information would be required to be disclosed:

  • Time of discovery of incident and whether it’s ongoing
  • A brief description of the scope and nature of the incident
  • Whether any data was stolen, tampered with, accessed, or misused in any way
  • The incident’s impact on the company’s operations
  • Whether the company has remedied the event or is in the process of doing so

2. Periodic Reporting Requirements

Material Updates to Cybersecurity Incidents

By introducing new Item 106(d) of Regulation S-K, which would require companies to disclose any material changes, additions, or updates to information required to be disclosed pursuant to proposed Item 1.05 of Form 8-K in the company’s Form 10-Q or Form 10-K for the covered period, the proposed amendments would add additional disclosure requirements to public companies’ quarterly and annual reports.

B) Risk Management and Strategy

Furthermore, public filers would be required to disclose their cybersecurity risk and threat management policies and processes, if any exist.

Public filers would also be required to explain whether they hire assessors or other third-parties to help with risk assessment, as well as any risk policies or procedures related to the use of third-party service providers.

The additional items in proposed Item 106(b) would necessitate disclosure regarding:

  1. whether the company is committed to preventing, detecting, and mitigating the threat of cyber-attacks
  2. whether the organization has measures in place for business continuity, contingency, or recovery in the case of a cyber-attack
  3. whether prior cybersecurity incidents influenced changes in the company’s governance, policy, and processes, or technology
  4. whether, and how, cybersecurity-related risks and incidents have impacted or are anticipated to impact the company’s results of operations or financial condition
  5. whether, and how, cybersecurity risks are factored into the corporate strategy, financial planning, and capital allocation of the enterprise

C) Director of Cybersecurity Expertise

Proposed Item 407(j) of Regulation S-K would require firms to disclose the cybersecurity experience of their directors, if any, on an annual basis.

If any member of the board of directors possesses cybersecurity experience, the corporation would be required to publish the director’s name as well as any further information needed to adequately define the nature of the director’s expertise.

The proposed rule would introduce criteria for determining cybersecurity expertise, such as whether the director has work experience in cybersecurity, whether the director has obtained a cybersecurity certification or degree, and whether the director has knowledge, skills, or other background in cybersecurity.

Proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act of 1933, as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407(j).

D) Governance

Item 106(c) of Regulation S-K, as proposed, would require disclosure of the board of directors’ and management’s roles in cybersecurity governance.

Public filers would be required to report whether the board of directors, as a whole, certain board members, or a board committee is responsible for overseeing cybersecurity risks.

A discussion of the processes by which the board is informed about cybersecurity risks, the frequency of cybersecurity discussions, and whether and how the board or responsible board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight would be required as part of the disclosure.

Public filers would have to disclose whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, as well as the relevant skills of such individuals, in terms of management.

Public filers would also have to disclose whether they have designated a chief information security officer (CISO) or someone in a similar position, and if so, who that individual reports to within the company’s organizational chart, the relevant expertise of any such person, the processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents, and whether and how frequently such incidents occur.

E) Foreign Private Issuers

Equivalent adjustments would be made to Form 20-F to mandate similar disclosures on a yearly basis.

3. Structured Data Requirements

The proposed standards would require all disclosures to be tagged in Inline XBRL, including block text tagging of narrative disclosures and detail tagging of quantitative numbers given within the narrative disclosures.

The proposed SEC cybersecurity enforcement is subject to public comment until 30 days following its publication in the federal registrar, or May 9, 2022 (whichever is later). After that, the SEC will consider public comments before voting on a final regulation.

How can I submit a comment on the new SEC proposal?

You can submit a comment using the following methods:

Note: All submissions must refer to File number S7-09-22.

Cyvatar allows startups and SMBs to achieve cybersecurity confidence with their all-in-one security operations platform.

Create a free account today, identify your organization’s security gaps and learn how Cyvatar can solve your security challenges-

Circa Las Vegas

Thurs. Aug 5th

Cybersecurity Reunion Pool Party at BlackHat 2021