SEC Proposes Mandatory Cybersecurity Disclosures
Friday, March 18, 2022
SEC Requirement Company Cybersecurity Disclosures Data Breach Incidents
Print Mail Download i

Public companies may soon have another regulation to worry about when it comes to their cybersecurity regime.  Last week, citing the increase in cybersecurity incidents and the need for investors to be informed about cybersecurity risks in a timely matter, the Securities and Exchange Commission (SEC) proposed amendments to its rules that demand more of registrants when it comes to cybersecurity disclosures.

Specifically, under the proposed rules, public companies would be required to:

  • Publicly disclose material cybersecurity incidents within four days of a determination that the incident is material. The term “material” is interpreted consistently with the standard of materiality used in other securities laws: whether there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision, or if it would have significantly altered the total mix of information made available.

  • Include material updates of any previously disclosed incidents in quarterly Forms 10-Q and annual Forms 10-K. The SEC acknowledges that a lengthy investigation often is required to obtain complete information about a cybersecurity incident and an entity may not be able to disclose all necessary information as soon as the incident is deemed material.  Accordingly, the SEC proposes quarterly updates with material information relating to prior incidents (such as the scope of the incident or any remediation) to help keep investors informed.

  • Periodically disclose information about the company’s cybersecurity policies, procedures, and governance. The proposed rules would require registrants to provide details about their cybersecurity policies and procedures in their Forms 10-K, to the extent they have any. They would further require information about the role of management in implementing such policies and procedures, as well as the board’s role in overseeing cybersecurity risk.

  • Publicly disclose the cybersecurity expertise of the board. The SEC opines that investors may find it important to discover whether any board members of a company have cybersecurity expertise, such as prior experience as an information security officer or certifications in cybersecurity.

The proposed rules demonstrate the SEC’s continued focus on scrutinizing public companies’ cybersecurity infrastructure.  In anticipation of these proposed rules becoming final, registrants should review or bolster their cybersecurity policies and procedures.  A robust cybersecurity regime should include a plan to respond to possible cybersecurity incidents and  to meet the proposed four-day disclosure deadline in the event of a material incident.  Finally, companies should consider adding cybersecurity expertise to their management and board.

© 2024 Vedder Price

Current Legal Analysis

More from Vedder Price

New York Governor Vetoes Bill Banning Non-Compete Agreements
by: Jonathan A. Wexler
SEC’s Enforcement Director Comments on CCO Liability, Self-Reporting and Cooperation
by: Nathaniel Segal , Jacob C. Tiedt
SEC Staff Issues 2024 Examination Priorities
by: Nathaniel Segal , Jacob C. Tiedt
SEC Adopts Significant Amendments to Beneficial Ownership Reporting Requirements
by: Nathaniel Segal , Jacob C. Tiedt
SEC Adopts Securities Lending Disclosure Requirement
by: Nathaniel Segal , Jacob C. Tiedt
The Deal That Ended the SAG-AFTRA Strike
by: Labor and Employment Practice
Ringing in the New California Laws
by: Michael A. Wahlander
FTC and DOJ Publish 2023 Merger Guidelines
by: Brian K. McCalmon
The Corporate Transparency Act December 2023 Update
by: Joel R. Thielen
New York City Bans Employers from Creating Height and Weight Requirements
by: Jonathan A. Wexler

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins