March 10, 2022

Cybersecurity: SEC Proposes Cyber Disclosure Rules

Yesterday, the SEC announced that it was proposing a series of new rules focusing on enhanced disclosure of cybersecurity issues by public companies.  Here’s the 129-page proposing release and here’s the 2-page fact sheet. The proposed rules would require current reporting & periodic updating about material cybersecurity incidents, and periodic disclosures about policies and procedures to address cybersecurity risks. In addition, companies would be required to disclose management’s role in implementing cybersecurity policies & the board’s cybersecurity expertise. This excerpt from the fact sheet spells out the specifics, and notes that the SEC proposes to:

– Amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident;

– Add new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate and amend Form 6-K to add “cybersecurity incidents” as a reporting topic;

– Add Item 106 to Regulation S-K and Item 16J of Form 20-F to require a registrant to: Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation; and require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies;

– Amend Item 407 of Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. Proposed Item 407(j) would require disclosure in annual reports and certain proxy filings if any member of the registrant’s board of directors has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise.

Commissioner Peirce dissented from the proposal. In her dissenting statement, she argues that “the governance disclosure requirements embody an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies,” and that the granular nature of the proposed disclosure requirements makes them “look more like a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate.”

The criticism of the rule as “micromanagement” of governance may be a fair comment, but if Commissioner Peirce thinks that kind of thing is unprecedented, she may want to take another look at what governance disclosures are already required by Item 407 of S-K.  In any event, the comment period will end 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

John Jenkins