SHARE

March 23, 2022

SEC Proposes New Cybersecurity Rules for Public Companies

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Key Takeaways

  • The proposal addresses potential new cybersecurity disclosure requirements along two fronts: (i) material cybersecurity incidents; and (ii) cybersecurity risk management, strategy, and governance.
  • The proposal follows prior SEC guidance on cybersecurity disclosures issued in 2011 and 2018.

The SEC voted on March 9, 2022, by a vote of three to one, to propose regulations "to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies" and strengthen investors' ability to evaluate public companies' cybersecurity practices and incident reporting. 
 

What You Need to Know:

If adopted, the proposed rules would:

  1. Require current reporting about material cybersecurity incidents on Form 8-K;
  2. Require periodic disclosures regarding a company's:
    • policies and procedures to identify and manage cybersecurity risks;
    • management's role and expertise in implementing cybersecurity policies and procedures;
    • management's role and expertise in assessing and managing cybersecurity risk;
    • board of directors' cybersecurity expertise and oversight of cybersecurity risk;
    • and updates about previously reported material cybersecurity incidents.

 

The proposal addresses potential new cybersecurity disclosure requirements along two fronts: (i) material cybersecurity incidents; and (ii) cybersecurity risk management, strategy, and governance. The proposal's release serves as a reminder to companies to consider their reporting, oversight and cybersecurity risk management practices periodically, particularly, in anticipation of heightened cybersecurity disclosure requirements and scrutiny by the SEC. The proposal follows prior SEC guidance on cybersecurity disclosures issued in 2011 and 2018.

The stated purpose of the proposal is to better inform investors about public companies' cybersecurity risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents. The proposal marks the SEC's first attempt to specify a time frame by which companies need to disclose cyber incidents.

If adopted, the proposed rules would:

  1. Require current reporting about material cybersecurity incidents on Form 8-K;
     
  2. Require periodic disclosures regarding a company's:
    • policies and procedures to identify and manage cybersecurity risks;
    • management's role and expertise in implementing cybersecurity policies and procedures;
    • management's role and expertise in assessing and managing cybersecurity risk;
    • board of directors' cybersecurity expertise and oversight of cybersecurity risk; and
    • updates about previously reported material cybersecurity incidents.

The full proposal can be found here and the SEC press release here.

The public comment period will be open for 60 days following publication of the proposing release on the SEC's website, May 9, 2022, or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

Disclosure of Material Cybersecurity Incidents

The proposed rules would amend Form 8-K to require a company to disclose information about a material cybersecurity incident within four business days after the company determines that it has experienced a material cybersecurity incident. The event triggering the proposed reporting obligation is the company's determination that a material cybersecurity incident has occurred and not merely the discovery of a cybersecurity incident. For purposes of assessing whether a cybersecurity incident is material, the proposal indicates materiality should be evaluated in a manner consistent with case law on materiality generally.

To the extent then known, the disclosure would be required to include: 

  • when the incident was discovered and whether it is ongoing; 
  • a brief description of the nature and scope of the incident; 
  • whether any data was stolen, altered, accessed, or used for any other unauthorized purpose; 
  • the effect of the incident on the company's operations; and 
  • whether the company has remediated or is currently remediating the incident. 

 
Disclosure of technical information relating to any such cybersecurity incident or any potential vulnerability is not expected or required. However, as the disclosure requirements would extend only to information known by the company at the time of the required disclosure, a company is not permitted to delay its disclosure due to an investigation into any material cybersecurity incident.

In subsequent periodic reports the proposed rules would require disclosure of any material changes, additions or updates to information previously reported regarding a material cybersecurity incident. 

Disclosure of Cybersecurity Risk Management, Strategy, and Governance

To enhance and standardize disclosures about companies' cybersecurity risk management, strategy and governance, the proposal would add Item 106 to Reg S-K. This item would require companies to describe their policies and procedures for identifying and managing risks related to cybersecurity threats, including whether, and if so, how, the company takes into account cybersecurity risks as part of its business strategy, financial planning and capital allocation. For example, such disclosure may describe a registrant's cybersecurity risk assessment program and the steps it takes to detect and prevent cybersecurity incidents. A registrant must also disclose cybersecurity incidents or risks which have affected or are reasonably likely to affect results of operations and/or financial condition.

The proposed rules would require disclosure of a registrant's cybersecurity governance policies, including board oversight procedures such as whether the board, specific board members, or a board committee is responsible for the oversight of cybersecurity risk management. The proposed rules require similar descriptions of management's role with respect to cybersecurity incidents and risks.

Disclosure of Board of Directors' Cybersecurity Expertise

The proposed rules would add a disclosure requirement in proxy statements for the election of directors regarding the cybersecurity expertise of members of the registrant's board, if any. The release provides certain non-exclusive examples of what may constitute "cybersecurity expertise," such as a director's prior work experience, certification or degrees related to cybersecurity, or any skills or other background in cybersecurity. The proposing release also emphasized that a director designated as a cybersecurity expert will not be deemed an expert for any other purpose, and such a classification would not impose or diminish any duties, obligations and liability on such directors or the other directors under federal securities law.

Foreign Private Issuers

The SEC is proposing to amend Form 20-F to require annual disclosures regarding any previously undisclosed material cybersecurity incidents that have occurred during the reporting period and the same type of disclosure as that proposed in Reg S-K Items 106 and 407(j). The proposed amendments would also add reference to material cybersecurity incidents among the items that may trigger a current report on Form 6-K.

Practical Takeaways

In light of the proposed rules, companies may want to adopt certain improved governance and risk management measures. These should include regular reviews of their company's policies and procedures related to cybersecurity risks and business resiliency and assessments of their company's cybersecurity risks and capabilities. Company management and boards should also regularly evaluate the cybersecurity expertise of their members and consider the need for management-level personnel or board members with such expertise. With the focus of the proposal on board and management cybersecurity risk oversight, companies should consider assigning specific board committees and managers the task of overseeing cybersecurity risks. These measures would be designed to assist companies to promptly identify cybersecurity breaches and maintain compliance with disclosure requirements. 

To prepare for a cybersecurity incident, companies should prepare updates for their incident response plans and training in light of the proposed current reporting disclosure requirement. The update should include a checklist that lays out the information that must be disclosed in the event of a material cybersecurity incident under the proposed rules. 

The new four business day 8-K deadline may be challenging for companies to meet without protocols in place for prompt escalation and assessment of cybersecurity incidents. Companies should begin considering the proper internal disclosure procedures to ensure compliance with the 8-K requirements now. 

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Saul Ewing Arnstein & Lehr

The Friday Five: Five Current ERISA Litigation Highlights - June 2022

By Amy S. Kline Saul Ewing Arnstein & Lehr June 03 , 2022

This month’s Friday Five covers cases relating to an award of attorney’s fees (but not) costs, class certification in an ERISA benefits case, a court finding that a physician claimant was disabled from his own occupation, a claimant paying into insurance he thinks he has, and an insurance company using interpleader and jurisdiction to its advantage.

EPA Releases Updated Legal Guidance to Advance Environmental Justice

By Sean T. O'Neill Saul Ewing Arnstein & Lehr June 01 , 2022

On May 26th, the EPA released an update of its Legal Tools to Advance Environmental justice – a compilation of the legal authorities it relies upon to protect public health and the environment for all persons in EJ and all communities.

The U.S. Supreme Court Holds That Emotional Damages Are Not Available Under Spending Clause Statutes, Including Title IX and Title VI, Without Express Statutory Authority

By Ashley E. Miller Saul Ewing Arnstein & Lehr June 01 , 2022

On April 28, 2022, the U.S. Supreme Court held in Cummings v Premier Rehab Keller, P.L.L.C. that emotional distress damages are not recoverable in a private action to enforce several civil rights statutes.

More From Cybersecurity

Deadline: 'Old' Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger Greenberg Traurig December 02 , 2022

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA).

Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?

By David A. Zetoony Greenberg Traurig November 22 , 2022

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”

What is the difference between a category-level access request and a specific-information access request?

By David A. Zetoony Greenberg Traurig November 21 , 2022

The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business.

Featured Stories
Closeclose
Search
Menu

Working...