SEC Proposes New Disclosure Rules for Cyber Incidents

Timothy Dickens, Philip Yannella
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ballard Spahr LLP

On March 9, 2022, the SEC proposed a new rule to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance. If approved, public companies subject to the reporting requirements of the Securities and Exchange Act of 1934 will be subject to new disclosure requirements regarding (1) Cybersecurity Incidents, and (2) Cybersecurity Risk Management, Strategy, and Governance.Beginning with the incident disclosure requirements, the proposed rule amends Form 8-K to require disclosure of material cybersecurity incidents within four (4) days of identifying that a material event has occurred. The proposed rule also adds new items to Regulation S-K and Form 20-F that require public companies to provide updated disclosures relating to previously disclosed cybersecurity incidents. Further, these additions will require disclosure when a series of previously undisclosed and individually immaterial incidents become material in the aggregate. Finally, the proposed rule amends Form 6-K to add cybersecurity incidents as a reporting topic.

The proposed rule would also create a swath of new reporting requirements regarding cybersecurity risk management, strategy, and governance. Specifically, the amendments to Regulation S-K and Form 20-F would require a registrant to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats. This includes disclosure of whether the company considers cybersecurity as part of its business strategy, financial planning, and capital allocation, and how management implements cybersecurity policies, procedures, and strategies.

Additionally, the proposed rule would obligate covered companies to provide specific disclosures addressing board involvement and knowledge of cybersecurity issues and planning. Specifically, companies would be obligated to disclose information about the board’s oversight of cybersecurity risk. The proposed rule would also amend Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. This would include disclosures in annual reports and certain proxy filings if any member of the board has expertise in cybersecurity, their name(s), and any details necessary to describe the nature of the relevant expertise.

The proposed rule is open to public comment until at least May 8, 2022, and may be revised prior to final approval.

While many companies already provide cybersecurity related disclosures, the proposed rule provides enhanced clarity and standardization of what information is important to businesses and investors alike. Given the SEC’s recent focus on cybersecurity, we expect to see more related developments in the near future.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide