Filters
-
-
-
-
Professionals
Submit buttons for industry and practice area filtering
Publications
On March 9, 2022, the Securities and Exchange Commission (“SEC”) issued proposed amendments to its rules aimed at enhancing and standardizing public company disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting (the “Proposed Rules”). The full text of the Proposed Rules can be viewed here.
In today’s digitally connected world, where an ever-increasing amount of global economic activity occurs through digital technology and electronic communications, the threat of cybersecurity incidents is significant. Potential costs and damages that can stem from a material cybersecurity incident are extensive. In light of the current digital landscape, the Proposed Rules are intended to better inform investors about a company’s cybersecurity risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.
In general, the Proposed Rules would require current reporting about material cybersecurity incidents as well as periodic reporting to provide updates about any such incidents previously reported. The Proposed Rules would also require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. Additionally, the Proposed Rules would require annual reporting about the board of directors’ cybersecurity expertise, if any.
For the purposes of the Proposed Rules, the following key definitions apply:
The Proposed Rules would add a new Item 1.05 to Form 8-K, which would require a company to provide the following information about a material cybersecurity incident within four business days of the company’s determination that such an incident had occurred:
The Proposed Rules provide the following non-exclusive list of cybersecurity incident examples:
Whether a cybersecurity incident is material may not be immediately apparent upon discovery; the triggering date under the Proposed Rules is the date that the materiality determination is made by the company. The company would be required to make such a determination “as soon as reasonably practicable after discovery of the incident.” Once a materiality determination has been made, an ongoing internal or external investigation related to the cybersecurity incident would not be grounds for a delay in reporting.
The Proposed Rules would also amend the General Instruction B of Form 6-K to reference material cybersecurity incidents among the items that may trigger a current report on that Form.
Lastly, under the Proposed Rules a failure to timely file a Form 8-K for Item 1.05 would not result in loss of Form S-3 or Form SF-3 eligibility. Similarly, Item 1.05 would be added to the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Securities Exchange Act of 1934.
Proposed Item 106(d)(1) of Regulation S-K would require registrants to disclose in their Forms 10-Q (and Form 10-K, for the fourth quarter) any material changes, additions or updates to cybersecurity incidents previously reported on Form 8-K, that occur during the covered period.
The Proposed Rules provide the following non-exclusive list of possible disclosures:
In addition, proposed Item 106(d)(2) would require companies to disclose previously undisclosed and immaterial cybersecurity incidents in the event that they become material in the aggregate. Under those circumstances, companies would be required to provide the following information in the Form 10-Q (or 10-K) for the quarter in which the company makes the determination the incidents are material in the aggregate:
Proposed Item 106(b) of Regulation S-K would require a registrant to periodically disclose its policies and procedures, if any, for identifying and managing cybersecurity risks and threats, including operational risk, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and reputational risk.
As proposed, Item 106(b) would require disclosure of the following:
Proposed Item 106(c) of Regulation S-K would require additional periodic disclosures related to board oversight of cybersecurity risks, as well as a description of management’s role in assessing and managing such risks.
Proposed disclosures regarding board oversight include:
Proposed disclosures relating to management’s role include:
The new disclosures under proposed Item 106(b) and (c) would be provided in a new Part I, Item 1.C of Form 10-K.
The Proposed Rules would add a new section (j) under Item 407 of Regulation S-K that would require companies to disclose the names of any directors with cybersecurity expertise and descriptions of the nature of such expertise in their proxy statements or information statements in connection the election of directors, and in their Form 10-Ks.
Cybersecurity expertise is not defined, although the SEC offers the following list of non-exhaustive examples:
A director who is identified as having cybersecurity expertise would not be deemed to be an expert for any purposes, including for the purposes of Section 11 of the Securities Act of 1933, and any such designation would not increase a director’s responsibilities, obligations or liabilities in his or her capacity as a board member.
Lastly, the Proposed Rules would amend Form 20-F to add Item 16J, which would make certain changes similar to those summarized above applicable to foreign private issuers. As proposed, foreign private issuers would be required to provide disclosures related to new material cybersecurity incidents or updates on previously reported cybersecurity incidents on From 20-F.
Comments on the Proposed Rules are due 30 days after publication in the Federal Register or May 9, 2022, whichever is later.
For additional information related to Proposed Rules, please contact one of the authors listed, or any member of our Securities Law Practice Group.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.