News

SEC proposes significant new cybersecurity disclosure requirements

SEC Update

25 March 2022

On March 9, 2022 the SEC proposed rule amendments that would require public companies to report detailed information about material cybersecurity incidents affecting their business and about their cybersecurity risk management and governance. The new requirements are intended to promote standardization of cybersecurity disclosure and the comparability of such disclosure across companies and time periods.

The SEC proposes to amend Regulation S-K and Exchange Act forms to require companies to report cybersecurity incidents on Form 8-K within four business days after the company determines the incident is material. Companies would also be required to provide updated disclosures on Forms 10-Q and 10-K about previously disclosed incidents, as well as to disclose in their periodic reports any series of previously undisclosed individually immaterial incidents that has become material in the aggregate.

The proposed requirements would extend beyond incident reporting to include information intended to enable investors to evaluate companies’ ability to manage and mitigate their cybersecurity risk and exposure. Companies would be required to describe in their Form 10-K reports their policies and procedures for identifying and managing cybersecurity risk, including whether they consider cybersecurity risk as part of their business strategy, financial planning, and capital allocation.

The annual reporting requirements would also encompass disclosure about the board’s oversight of cybersecurity risk, management’s cybersecurity expertise, management’s role in assessing and managing cybersecurity risk, and its role in implementing the company’s cybersecurity policies, procedures, and strategies. In addition, companies would be obligated to disclose on Form 10-K and in their annual proxy statements whether any board member has cybersecurity expertise and, if so, to describe the nature of that expertise.

The SEC’s release describing the proposed amendments (Release No. 33-11038) can be viewed here. The comment period on the proposal will be open until May 9.

Authored by Alan Dye (co-editor), Richard Parrino (co-editor), John Beckman, Kevin Greenslade, William Intner, Paul Otto, Harriet Pearson, and Nicholas Hoover.

Contacts

Alan Dye

Partner

location Washington, D.C.

SEC proposes significant new cybersecurity disclosure requirements

SEC Update

Contacts

Additional Resources

Related topics

Related countries

Related keywords

More like this

Recent developments in FCA enforcement under the DOJ’s Civil Cyber-Fraud Initiative

NIST refines Cybersecurity Security Framework, with increased focus on governance and supply chain

White House issues executive order on access to US sensitive personal data by countries of concern

The False Claims Act Guide: 2023 and the road ahead

Aerospace & Defense Insights | Key Provisions of the FY 2024 National Defense Authorization Act

The Data Chronicles: New Jersey's expected comprehensive privacy bill – instant reactions

Aerospace & Defense Insights | Part 1: Proposed cybersecurity FAR rules for U.S. government contractors

The Data Chronicles: The False Claims Act & cybersecurity

NIST seeks feedback on draft Cybersecurity Framework 2.0

Search