Last week, the U.S. Securities and Exchange Commission announced a proposed rule that, if adopted, will compel public companies to disclose their governance, risk management and strategy with respect to cybersecurity risks. In addition, these entities would have to report any material cybersecurity incidents.
The reasoning behind the SEC’s move is to allow investors to effectively assess cyber-related risks as they pertain to investment decisions. Toward that end, listed companies would be required to disclose the role of management and boards of directors have in overseeing cybersecurity risks; whether they have cyber policies and procedures in place; and how data breaches (and similar risks) might impact company financials.
The timing of the SEC’s proposal cannot be ignored. There has been a growing concern about how data breaches and the like can impact markets and investors. And in the wake of the war in Ukraine, regulators have warned of Russian cyberattacks in retaliation for western sanctions.
Pursuant to the rule as proposed by the SEC, the disclosure and reporting requirements would have to be set forth in current report filings, including Form 8-K. Updates would also be necessary in periodic reports to give investors more complete information on previously disclosed cybersecurity incidents.
According to SEC Chair Gary Gensler, “Companies that are raising money from the public have an obligation to share information with investors on a regular basis.” Now, this information may include that having to do with cybersecurity. Gensler adds, “Cybersecurity is an emerging risk with which public issuers increasingly must contend. The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.”
The proposed rule builds on existing SEC cyber risk guidance that will remain effective even if the proposal is ratified. In terms of ratification, the rule is now subject to public comment for 60 days, or 30 days following publication of the release in the Federal Register, if later.
If the proposed rule becomes effective in its current form and once the public comment period closes, issuers would be required to do all of the following:
1. Disclose cybersecurity incidents of Form 8-K within four days of making a determination that a cybersecurity incident is material;
2. Provide cybersecurity incident disclosures in their Form 10-Q or Form 10-K filings;
3. Reveal cybersecurity policies and procedures and governance; and
4. Furnish information about the cybersecurity expertise of members of the board of directors.
Of course, we will continue to monitor the SEC’s proposal through the public comment period and report back with any important news.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.