The SEC voted on March 9, 2022, by a vote of three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies” and strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting. 

1. Require current reporting about material cybersecurity incidents on Form 8-K;
2. Require periodic disclosures regarding a company’s:

• policies and procedures to identify and manage cybersecurity risks;
• management’s role and expertise in implementing cybersecurity policies and procedures;
• management’s role and expertise in assessing and managing cybersecurity risk;
• board of directors’ cybersecurity expertise and oversight of cybersecurity risk;
• and updates about previously reported material cybersecurity incidents.

The proposal addresses potential new cybersecurity disclosure requirements along two fronts: (i) material cybersecurity incidents; and (ii) cybersecurity risk management, strategy, and governance. The proposal’s release serves as a reminder to companies to consider their reporting, oversight and cybersecurity risk management practices periodically, particularly, in anticipation of heightened cybersecurity disclosure requirements and scrutiny by the SEC. The proposal follows prior SEC guidance on cybersecurity disclosures issued in 2011 and 2018.

The stated purpose of the proposal is to better inform investors about public companies’ cybersecurity risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents. The proposal marks the SEC’s first attempt to specify a time frame by which companies need to disclose cyber incidents.

If adopted, the proposed rules would:

1. Require current reporting about material cybersecurity incidents on Form 8-K;
2. Require periodic disclosures regarding a company’s:

• policies and procedures to identify and manage cybersecurity risks;
• management’s role and expertise in implementing cybersecurity policies and procedures;
• management’s role and expertise in assessing and managing cybersecurity risk;
• board of directors’ cybersecurity expertise and oversight of cybersecurity risk; and
• updates about previously reported material cybersecurity incidents.

The full proposal can be found here and the SEC press release here.

The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website, May 9, 2022, or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

Disclosure of Material Cybersecurity Incidents

The proposed rules would amend Form 8-K to require a company to disclose information about a material cybersecurity incident within four business days after the company determines that it has experienced a material cybersecurity incident. The event triggering the proposed reporting obligation is the company’s determination that a material cybersecurity incident has occurred and not merely the discovery of a cybersecurity incident. For purposes of assessing whether a cybersecurity incident is material, the proposal indicates materiality should be evaluated in a manner consistent with case law on materiality generally.

To the extent then known, the disclosure would be required to include: 

• when the incident was discovered and whether it is ongoing; 
• a brief description of the nature and scope of the incident;
• whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
• the effect of the incident on the company’s operations; and
• whether the company has remediated or is currently remediating the incident. 

Disclosure of technical information relating to any such cybersecurity incident or any potential vulnerability is not expected or required. However, as the disclosure requirements would extend only to information known by the company at the time of the required disclosure, a company is not permitted to delay its disclosure due to an investigation into any material cybersecurity incident.

In subsequent periodic reports the proposed rules would require disclosure of any material changes, additions or updates to information previously reported regarding a material cybersecurity incident. 

Disclosure of Cybersecurity Risk Management, Strategy, and Governance

To enhance and standardize disclosures about companies’ cybersecurity risk management, strategy and governance, the proposal would add Item 106 to Reg S-K. This item would require companies to describe their policies and procedures for identifying and managing risks related to cybersecurity threats, including whether, and if so, how, the company takes into account cybersecurity risks as part of its business strategy, financial planning and capital allocation. For example, such disclosure may describe a registrant’s cybersecurity risk assessment program and the steps it takes to detect and prevent cybersecurity incidents. A registrant must also disclose cybersecurity incidents or risks which have affected or are reasonably likely to affect results of operations and/or financial condition.

The proposed rules would require disclosure of a registrant’s cybersecurity governance policies, including board oversight procedures such as whether the board, specific board members, or a board committee is responsible for the oversight of cybersecurity risk management. The proposed rules require similar descriptions of management’s role with respect to cybersecurity incidents and risks.

Disclosure of Board of Directors’ Cybersecurity Expertise

The proposed rules would add a disclosure requirement in proxy statements for the election of directors regarding the cybersecurity expertise of members of the registrant’s board, if any. The release provides certain non-exclusive examples of what may constitute “cybersecurity expertise,” such as a director’s prior work experience, certification or degrees related to cybersecurity, or any skills or other background in cybersecurity. The proposing release also emphasized that a director designated as a cybersecurity expert will not be deemed an expert for any other purpose, and such a classification would not impose or diminish any duties, obligations and liability on such directors or the other directors under federal securities law.

Foreign Private Issuers

The SEC is proposing to amend Form 20-F to require annual disclosures regarding any previously undisclosed material cybersecurity incidents that have occurred during the reporting period and the same type of disclosure as that proposed in Reg S-K Items 106 and 407(j). The proposed amendments would also add reference to material cybersecurity incidents among the items that may trigger a current report on Form 6-K.

Practical Takeaways

In light of the proposed rules, companies may want to adopt certain improved governance and risk management measures. These should include regular reviews of their company’s policies and procedures related to cybersecurity risks and business resiliency and assessments of their company’s cybersecurity risks and capabilities. Company management and boards should also regularly evaluate the cybersecurity expertise of their members and consider the need for management-level personnel or board members with such expertise. With the focus of the proposal on board and management cybersecurity risk oversight, companies should consider assigning specific board committees and managers the task of overseeing cybersecurity risks. These measures would be designed to assist companies to promptly identify cybersecurity breaches and maintain compliance with disclosure requirements. 

To prepare for a cybersecurity incident, companies should prepare updates for their incident response plans and training in light of the proposed current reporting disclosure requirement. The update should include a checklist that lays out the information that must be disclosed in the event of a material cybersecurity incident under the proposed rules. 

The new four business day 8-K deadline may be challenging for companies to meet without protocols in place for prompt escalation and assessment of cybersecurity incidents. Companies should begin considering the proper internal disclosure procedures to ensure compliance with the 8-K requirements now.