Article
SEC proposes improved uniformity and comparability of cybersecurity disclosures
April 5, 2022 · Authored by Joe Shusko
On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed a rule that will heighten the disclosure requirements for public companies, impacting their extent of communication related to both cybersecurity risk assessment and instances of material breaches. This proposed rule is intended to aid investors in performing consistent and uniform comparison of a company’s consideration of and response to cybersecurity risks.
This proposed rule builds upon the disclosure guidance issued in 2011 and interpretive guidance issued in 2018. It was also proposed just days before the Strengthening American Cybersecurity Act was passed into law on March 15, 2022, which establishes specific reporting requirements to the Cybersecurity and Infrastructure Security Agency (CISA) for critical infrastructure companies.
The SEC has requested comments on 51 different topics throughout the proposed rule; comments are due May 9, 2022.
What you need to know
Prior communications and guidance from the SEC already established an expectation that companies disclose various cybersecurity considerations, including risk factors and the existence of material incidents. Further interpretive guidance has been provided to aid companies in determining whether or not an incident should be considered material. However, none of the previously provided guidance has been specific as to the nature of the disclosure, required content or timeliness. The proposed rule intends to provide more prescriptive requirements, aimed at improving “uniformity and comparability” for the benefit of investors.
Proposed changes include:
- Disclosure of details around a registered public company (“registrant”) cybersecurity risk management, strategy and governance programs, including the level of cybersecurity expertise resident within members of its board of directors and the nature of cybersecurity governance by a company’s management and board;
- A specific Form 8-k, Item 1.05 disclosure within four business days of a registrant determining they have been subject to a material breach;
- Standardized disclosure factors, including such items as the nature and scope of the incident, whether data was stolen, whether stolen data was misused, impact on business operations, and status of remediation activities;
