The SEC is proposing amendments to its rules that would enhance and standardize public company disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting.
In a 129-page proposed rule titled "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure," the SEC would require the following from public companies subject to the reporting requirements of the Securities Exchange Act of 1934:
Current reporting about material cybersecurity incidents on Form 8-K
To accommodate this, the SEC is proposing to:
- Amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident;
- Add new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate; and
- Amend Form 6-K to add "cybersecurity incidents" as a reporting topic.
Periodic disclosures related to risk management, strategy, and governance
The proposed rule seeks to provide more information related to the following:
- A registrant's policies and procedures to identify and manage cybersecurity risks;
- Management's role in implementing cybersecurity policies and procedures;
- Board of directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents.
Specifically, the proposal would:
● Add Item 106 to Regulation S-K and Item 16J of Form 20-F to require a registrant to (1) describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation; and (2) require disclosure about the board's oversight of cybersecurity risk and management's role and expertise in assessing and managing cybersecurity risk and implementing the registrant's cybersecurity policies, procedures, and strategies.
● Amend Item 407 of Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. Proposed Item 407(j) would require disclosure in annual reports and certain proxy filings if any member of the registrant's board of directors has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise.
The proposal also would require cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
SEC Chair Gary Gensler said in a press release that the proposed rule amendments would improve the ability of investors to evaluate public companies' cybersecurity practices and incident reporting.
"Today, cybersecurity is an emerging risk with which public issuers increasingly must contend," he said. "Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner."
Not all the SEC commissioners agree with the proposed rule amendments. In a dissenting statement, Commissioner Hester M. Peirce said the precise disclosure requirements in the proposed rule look more like a list of expectations about what issuers' cybersecurity programs should look like and how they should operate. As such, she argued, they are beyond the scope of the commission's role.
"The commission regulates public companies' disclosures; it does not regulate public companies' activities," she said. "This proposal, however, flirts with casting us as the nation's cybersecurity command center, a role Congress did not give us."
The comment period for the proposals voted on Friday will be either 60 days following publication of the proposing news release on the SEC's website or 30 days following publication of the release in the Federal Register, whichever ends later.
— To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.