SEC Proposes Cybersecurity Disclosure Rule For Public Companies

Thomas Potter, III
Burr & Forman
Contact
LinkedIn
Facebook
X
Send
Embed

Burr & Forman

Continuing its active regulatory agenda, the Securities and Exchange Commission on March 9, 2022, proposed new cybersecurity regulations for reporting public companies. Although couched as a series of “disclosure” requirements, the proposed list of required disclosures can be viewed as a de facto prescription of what public companies must do and say on cybersecurity; that prompted Commissioner Peirce to dissent.

The Proposed Rule would require reporting public companies to promptly disclose “material cybersecurity incidents” and their response, updating those disclosures in regularly-recurring periodic reports. More significantly though, the Proposed Rule sets out a series of required disclosures about registrants’ risk management policies and procedures, strategic view of cybersecurity issues and governance practices around cybersecurity – including the specific, detailed cybersecurity experience or expertise among directors and management.

The Proposing Release cites the SEC’s 2018 Interpretive Release on disclosure of material cybersecurity issues under the rubric of many existing Rules. See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018) No. 33-10459 (Feb. 21, 2018) [83 FR 8166], available here. That lengthy discussion of how existing Rules compel material cybersecurity disclosures begs the question of whether the new, more prescriptive, Rules even are necessary. The Release posits they are, because existing disclosure practices still vary considerably.

The Proposal broadly mirrors the Commission’s action last month proposing a similar rule for advisers and investment companies. I discussed that proposal here.

Commissioner Peirce dissented, as she did to the Adviser Cybersecurity Rule Proposal. Her main concerns were that the Proposed Rule:

  • Micromanaged Board and Management composition and actions on cybersecurity;
  • Was unduly prescriptive by an agency not well suited to address cybersecurity; and,
  • Was unnecessary in light of the 2018 Guidance.

Her dissenting statement may be found here.

The Proposing Release, Rel. No. 33-11038, File S&-09-22 is here. Comments are due May 9.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Burr & Forman | Attorney Advertising

Written by:

Burr & Forman
Burr & Forman
Contact
more
less

Burr & Forman on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide