SEC Proposes Amendments That Would Place New Cybersecurity Reporting and Disclosure Requirements on Public Companies
On March 9, 2022, the US Securities and Exchange Commission (SEC) voted 3-1 to propose new rules and amendments under the Securities Exchange Act of 1934 that would constitute the SEC’s first attempt to adopt specific rules to comprehensively regulate cybersecurity risk management, strategy, governance and incident reporting for public companies (“registrants”). The stated goals of the proposal are to protect investors and optimize their decision-making abilities, raise cross-industry understanding of cyber threats and related incidents and promote timely reporting of cyber incidents. Below, we provide a preliminary overview of the proposed rules and amendments.
Yesterday’s proposal follows the SEC’s detailed cybersecurity rulemaking for registered investment advisers and business development companies, which was announced on February 9, 2022, and published in the Federal Register on March 9, 2022.1 That proposal, if adopted, would require implementation of cybersecurity risk management policies and procedures, reporting requirements and disclosure requirements.2
Further in-depth analysis of both proposed rules will be forthcoming.
The Proposal
The proposed rules and amendments announced yesterday would impose several new requirements on registrants to disclose information concerning cybersecurity incidents and risks. The most prominent of these include requirements regarding the disclosure of material cybersecurity incidents, as well as obligations to disclose certain information regarding cybersecurity governance, policies and procedures.
Specifically, the proposed rules seek to:
- Require registrants to disclose information about a material cybersecurity incident on Form 8-K within four business days after the registrant determines it has experienced an incident.
- Require registrants to provide updated disclosures relating to previously disclosed cybersecurity incidents. This will also require disclosure of when “previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.”3
- Require registrants to disclose information regarding cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks and management’s role and relevant expertise in assessing and managing cybersecurity risks and implementing associated policies, procedures and strategies.
- Require registrants to disclose “the cybersecurity expertise of members of the board of directors.”4
- Require similar cybersecurity incident and risk management disclosures from foreign private issuers.
Yesterday’s proposal does not directly affect entities beyond public companies, such as broker-dealers. That said, Commissioner Gary Gensler stated at the March 9, 2022, open meeting that he has requested proposals for regulations that would specifically apply to broker-dealers as well. This suggests that there could be more SEC cybersecurity regulations on the table in the near future.
The comment period for this proposal is open to the public until the later of May 9, 2022, or 30 days after publication in the Federal Register.
1 https://www.federalregister.gov/documents/2022/03/09/2022-03145/cybersecurity-risk-management-for-investment-advisers-registered-investment-companies-and-business
2 https://www.mayerbrown.com/en/perspectives-events/publications/2022/02/sec-proposals-would-significantly-impact-private-fund-advisers-and-impose-new-cybersecurity-requirements-on-registered-advisers-and-funds-including-bdcs