A significant and increasing amount of economic activity requires digital technology and electronic communications. Cybersecurity risks and incidents can impact the financial performance or position of a company and are a major focus for investors who desire information on how companies manage it.
To address the demand by investors regarding registrant’s cybersecurity risk management, strategy, and governance practices, the SEC issued proposed rule 33-11038, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
Comments on the proposed rule are due May 9, 2022, or 30 days after publication in the Federal Register, whichever is later.
Background
There are no current disclosure requirements in Regulation S-K or S-X that explicitly refer to cybersecurity risks or incidents. The SEC staff observed cybersecurity risks are most often disclosed in the risk factor section of the registrant’s annual report on Form 10-K.
It may be difficult, however, for investors to locate, interpret, and analyze the information provided as the disclosures sometimes blend with other unrelated disclosures.
The proposed rules are intended to enhance and standardize disclosures regarding cybersecurity risk management, strategy, and governance, and of cybersecurity incidents.
The proposed rules would require reporting material cybersecurity incidents, and periodic updates about previously reported cybersecurity incidents.
Specifically, the proposed rules would amend Form 8-K to require disclosure of information about a material cybersecurity incident within four business days of determining the incident is material.
To the extent possible, the following information would be required to be disclosed:
- When the incident was discovered and whether it’s ongoing
- A brief description of the nature and scope of the incident
- Whether any data was stolen, altered, accessed, or used for any unauthorized purpose
- The effect of the incident on operations
- Whether the incident was or is being remediated
The proposed rules would add Item 106(d) of Regulation S-K to require:
- Updates to previously disclosed cybersecurity incidents
- Disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in aggregate
Risk Management, Strategy, and Governance Disclosure
The proposed rules would require periodic disclosures of policies and procedures for identifying and managing cybersecurity risks, and management’s role in implementing cybersecurity protections.
Companies would also have to disclose the board of directors’ cybersecurity expertise and its oversight of cybersecurity risk.
Specifically, the proposed rule would amend Form 10-K by adding Item 106 to Regulation S-K to require a registrant to:
- Describe its policies and procedures for the identification and management of cybersecurity risks, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation
- Require disclosure about cybersecurity governance, including the board’s oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing related policies, procedures, and strategies
The proposed rule would also amend Item 407 of Regulation S-K to require disclosure regarding board member cybersecurity expertise. Proposed Item 407(j) would require disclosure in annual reports and certain proxy filings if any member of the registrant’s board of directors has expertise in cybersecurity, including the name of any such director and any detail necessary to fully describe the nature of the expertise.
We’re Here to Help
For more information on how the proposed amendments to the SEC rules regarding cybersecurity may affect your business, contact your Moss Adams professional.