TheCorporateCounsel.net

The SEC’s latest Reg Flex Agenda included proposing rule amendments to “enhance issuer disclosures regarding cybersecurity risk governance.” The SEC has targeted October 2021 as the date for a rule proposal, and this Mayer Brown memo says that the agency is unlikely to stop there. Instead, it’s reasonable to expect that the SEC will seek to address perceived deficiencies in the 2018 Guidance, by, among other things, providing clearer guidance on what constitutes “materiality” and “timeliness” when it comes to notices of cyber-attacks.

The memo makes a number of suggestions as to how companies can prepare for SEC rulemaking in this area. This excerpt addresses the need for companies to review their existing policies and procedures:

The 2018 Guidance encourages public companies to develop substantive cybersecurity risk management policies and procedures. Specifically, the guidance provides that these policies should include clear instructions on how to identify and elevate information to key stakeholders and senior leaders so that appropriate disclosures can be made regarding cybersecurity incidents and risks.

Companies that incorporated this guidance in 2018 should review whether they are comfortable with their policies and procedures now that this guidance is likely to become mandatory. Companies that have not enhanced their policies must now review the existing policies to expressly consider cybersecurity risks as potentially material and should begin preparing now to review and update their disclosure controls to verify that they are sufficient.

Other areas that the memo recommends companies address include preparing criteria for determining materiality, enhancing board oversight and employee training, and reviewing cybersecurity disclosures in prior filings.

– John Jenkins