Partner New York
Proposed SEC Cybersecurity Rules11 April 2022
"The proposed rules would require current and periodic reporting of material cybersecurity incidents."
The proposed rules would require current and periodic reporting of material cybersecurity incidents. Additionally, the SEC proposed amendments that would require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risk. This would entail disclosing the impact of cybersecurity risks on the registrant’s business strategy; management’s role and expertise in implementing the registrant’s cybersecurity policies, procedures, and strategies; and the board of directors’ oversight role, and cybersecurity expertise, if any.
More specifically, the SEC has proposed to:
- Amend Form 8-K (the current report) to require registrants to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident;
- Amend Forms 10-Q (the quarterly report) and 10-K (the annual report) to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents, and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate;
- Require disclosure in the annual report regarding policies and procedures, if any, for identifying and managing cybersecurity risks, cybersecurity governance (including the board of directors’ oversight role regarding cybersecurity risks), management’s role and relevant expertise in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies; and
- Require disclosure if any member of the registrant’s board of directors has cybersecurity expertise.
"Foreign private issuers are not exempt from the proposed cybersecurity rules."
Foreign private issuers are not exempt from the proposed cybersecurity rules. The SEC has proposed to amend the Form 20-F (the annual report for foreign private issuers, and the form used for certain securities registrations) to require foreign private issuers to provide cybersecurity disclosures in their annual reports filed on that form that are consistent with the disclosure that the SEC proposes to require in the domestic forms. In addition, the SEC proposed to amend Form 6-K to add “cybersecurity incidents” as a reporting topic. The SEC will require that the proposed disclosures be provided in inline XBRL.
The SEC, consistent with other rules, has not specified what is deemed “material” with respect to cybersecurity disclosure. The SEC instead referenced U.S. Supreme Court decisions to state that information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” In addition, any material information not known or disclosable at the time of the relevant filing would need to be updated in future periodic reports.