When discussing the new proposal, SEC Chair Gary Gensler commented that “cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.” To this point, the proposed rule acknowledges there may be a positive correlation between a public company’s stock price and investments in certain cybersecurity technology. Accordingly, “whether and how a [company] is managing cybersecurity risks could impact an investor’s return on investment and would be decision-useful information in an investor’s investment or considerations.”

A summary of key takeaways of the proposed rules follows:

• Form 8-K would be amended to add new Item 1.05. New Item 1.05 would require registrants to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a “material” cybersecurity incident. Following is a summary of the proposed required disclosures:
• When the incident was discovered;
• Whether the incident is ongoing;
• A brief description of the nature and scope of the incident, as well as the effect of the incident on the registrant’s operations;
• Whether any data was accessed, exfiltrated, altered or used for any other unauthorized purpose; and
• The status of the registrant’s remediation efforts.
• Forms 10-Q and 10-K would be amended to require registrants to provide updated disclosures relating to previously disclosed cybersecurity incidents, as specified in proposed Regulation S-K Item 106. New Item 106(d) would also require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become “material” in the aggregate.
• Form 10-K would be amended to require disclosure specified in new Item 106 regarding:
• The registrant’s cybersecurity risk management and strategy, including whether (i) the registrant has a cybersecurity risk assessment program and, if so, a description of the program; (ii) the registrant engaged auditors, consultants or others in connection with any risk assessment program; (iii) the registrant has policies and procedures to oversee cybersecurity risks relating to third party service providers; (iv) the registrant undertakes activities to prevent, detect and minimize cyber incidents; (v) the registrant has a continuity contingency and recovery plan in the event of a cyber incident; (vi) previous cyber incidents have informed changes to the registrant’s governance and technologies; (vii) cybersecurity risks and previous cyber incidents have affected or are reasonably likely to materially affect the registrant’s strategy, business model, results of operations or financial condition, and if so, how; and (viii) cybersecurity risks are considered as part of the registrant's business strategy,  financial planning, and capital allocation, and if so, how.
• The Board’s role in the oversight of cybersecurity risks, including (i) whether the entire board, specific board members or a board committee is responsible for oversight; (ii) the process by which the board is informed of cybersecurity risks, and the frequency of its discussions on this topic; and (iii) whether and how the board considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.
• Management’s role in assessing and managing cybersecurity-related risks and implementing cybersecurity policies, procedures and strategies, including (i) whether designated individuals or committees are responsible for managing cybersecurity-related risks; (ii) whether the registrant has designated a chief information security officer (or similar position), (iii) the process by which such persons or committees are informed and monitor the registrant’s cybersecurity program and (iv) how frequently such persons or committees report to the board or board committee about such matters.
• In addition, new Regulation S-K Item 407(j) would require registrants to disclose whether any member of the board has cybersecurity expertise and, if so, naming that director and describing their expertise. In determining whether a director has cybersecurity expertise, the proposed rules provide that registrants should consider, among other matters, prior work experience in cybersecurity, certifications or degrees in cybersecurity and knowledge and skills in cybersecurity (such as in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations and incident handling and planning).

All of the proposed Item 106 disclosures would be included in the Annual Report on Form 10-K in Part I, under new Item 1.C titled “Cybersecurity.” The disclosure required by proposed Item 407(j) could be included in the registrant’s proxy statement as it will be a part of the Form 10-K Part III section.

SEC Commissioner Peirce issued a Dissenting Statement in which she remarked that the proposal “flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us.”

The comment period expires May 9, 2022.