March 11, 2022

SEC Proposes New Disclosure Rules for Cyber Incidents

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Key Takeaways

  • The proposed rule would also create a swath of new reporting requirements regarding cybersecurity risk management, strategy, and governance.

On March 9, 2022, the SEC proposed a new rule to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance. If approved, public companies subject to the reporting requirements of the Securities and Exchange Act of 1934 will be subject to new disclosure requirements regarding (1) Cybersecurity Incidents, and (2) Cybersecurity Risk Management, Strategy, and Governance.Beginning with the incident disclosure requirements, the proposed rule amends Form 8-K to require disclosure of material cybersecurity incidents within four (4) days of identifying that a material event has occurred. The proposed rule also adds new items to Regulation S-K and Form 20-F that require public companies to provide updated disclosures relating to previously disclosed cybersecurity incidents. Further, these additions will require disclosure when a series of previously undisclosed and individually immaterial incidents become material in the aggregate. Finally, the proposed rule amends Form 6-K to add cybersecurity incidents as a reporting topic.

The proposed rule would also create a swath of new reporting requirements regarding cybersecurity risk management, strategy, and governance. Specifically, the amendments to Regulation S-K and Form 20-F would require a registrant to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats. This includes disclosure of whether the company considers cybersecurity as part of its business strategy, financial planning, and capital allocation, and how management implements cybersecurity policies, procedures, and strategies.

Additionally, the proposed rule would obligate covered companies to provide specific disclosures addressing board involvement and knowledge of cybersecurity issues and planning. Specifically, companies would be obligated to disclose information about the board's oversight of cybersecurity risk. The proposed rule would also amend Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. This would include disclosures in annual reports and certain proxy filings if any member of the board has expertise in cybersecurity, their name(s), and any details necessary to describe the nature of the relevant expertise.

The proposed rule is open to public comment until at least May 8, 2022, and may be revised prior to final approval.

While many companies already provide cybersecurity related disclosures, the proposed rule provides enhanced clarity and standardization of what information is important to businesses and investors alike. Given the SEC's recent focus on cybersecurity, we expect to see more related developments in the near future.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Ballard Spahr

New York Restricts Automated Decision Making in Employment

By Timothy Dickens Ballard Spahr August 29 , 2022

Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023.

Status Update: Federal Contractor Vaccine Mandate Injunction Narrowed

By Lila A. Sevener Ballard Spahr August 29 , 2022

On August 26, 2022, the United States Court of Appeals for the Eleventh Circuit narrowed the nationwide injunction of Executive Order 14042, which requires federal contractors and employees who work on or in connection with a covered federal contract, or share a workplace with another employee who works on or in connection with such contracts, to be fully vaccinated against COVID-19.

Unions Cannot Force OSHA to Issue Permanent COVID Standard

By Shannon D. Farmer Ballard Spahr August 26 , 2022

On August 26, 2022, the U.S. Court of Appeals for the District of Columbia Circuit turned back efforts by a group of unions seeking to force the Occupational Safety and Health Administration (OSHA) to quickly issue a permanent rule establishing protections for healthcare workers from COVID-19.

More From Cybersecurity

Finding the Delta: Understanding the Differences in How State Privacy Laws Define Corporate Affiliates

By David A. Zetoony Greenberg Traurig May 15 , 2023

All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners.

CISA Self-Attestation Form Brings Clarity to Pending Secure Software Requirements for Government Contractors

By Robert Duffy McDermott Will & Emery May 09 , 2023

Producers of software sold to the US government are facing an impending requirement to attest that their software is securely developed.

Yuga Labs Scores Another Victory With Summary Judgment Win

By Mioko C. Tajika Ingram Yuzek Gainen Carroll & Bertolotti May 09 , 2023

In our prior post, we wrote about the closely-watched Yuga Labs v. Ryder Ripps case and how the defendants’ motion to dismiss and anti-SLAPP motion were denied.

Featured Stories