Public companies may soon have another regulation to worry about when it comes to their cybersecurity regimen. On March 9, 2022, citing the increase in cybersecurity risks in a timely matter, the Securities and Exchange Commission (SEC) proposed amendments to its rules that demand more of registrants when it comes to cybersecurity disclosures.
Specifically, under the proposed rules, public companies would be required to do the following:
- Publicly disclose material cybersecurity incidents within four days of a determination that the incident is material. The term “material” is interpreted consistently with the standard of materiality used in other securities laws: whether there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision, or if it would have significantly altered the total mix of information made available.
- Include material updates of any previously disclosed incidents in quarterly Forms 10-Q and annual Forms 10-K. The SEC acknowledges that a lengthy investigation often is required to obtain complete information about a cybersecurity incident and an entity may not be able to disclose all necessary information as soon as the incident is deemed material. Accordingly, the SEC proposes quarterly updates with material information relating to prior incidents (such as the scope of the incident or any remediation) to help keep investors informed.
- Periodically disclose information about the company’s cybersecurity policies, procedures and governance. The proposed rules would require registrants to provide details about their cybersecurity policies and procedures in their Forms 10-K, to the extent they have any. They would further require information about the role of management in implementing such policies and procedures, as well as the board’s role in overseeing cybersecurity risk.
- Publicly disclose the cybersecurity expertise of the board. The SEC opines that investors may find it important to discover whether any board members of a company have cybersecurity expertise, such as prior experience as an information security officer or certifications in cybersecurity.
The proposed rules demonstrate the SEC’s continued focus on scrutinizing public companies’ cybersecurity infrastructure. In anticipation of these proposed rules becoming final, registrants should review or bolster their cybersecurity policies and procedures. A robust cybersecurity regime should include a plan to respond to possible cybersecurity incidents and to meet the proposed four-day disclosure deadline in the event of a material incident. It is also advisable to discuss the plan when adopted with outside counsel so that counsel is prepared to assist in the event of a reportable incident. Finally, companies should consider adding professionals with cybersecurity expertise to their management and board.