Three months ago, the U.S. Securities and Exchange Commission (SEC) proposed amendments to its rules on cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. The SEC’s view is that cybersecurity threats and incidents pose an ongoing threat to public companies, investors and market participants, as evidenced by the growing number and greater frequency of occurrences of cyber attacks being launched by cyber criminals who are using increasingly sophisticated methods.
The comment period on the proposal ended on May 9. Some 139 comment letters from companies, law firms, associations and other stakeholders were received. This Flash Report provides a synopsis of the comments received and offers a perspective on what companies should be doing as they prepare for the inevitable release of the SEC’s updated requirements.
The SEC proposal: An overview
The proposed amendments would require, among other things:
- Reporting of a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident. (Note: For purposes of the proposed cybersecurity incidents disclosure, “materiality” would be evaluated consistent with precedents set forth in judicial decisions, e.g., information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the total mix of information available.”
- Reporting of material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, including any material impact on the issuer’s current and future operations and financial condition, whether the registrant has remediated or is currently remediating the incident, and any changes in the registrant’s policies and procedures as a result of the incident.
- Reporting of cybersecurity incidents that have become material in the aggregate.
- Disclosure of the company’s policies and procedures to identify and manage cybersecurity risks; the extent to which it engages third parties in its cyber risk assessment program; policies and procedures to oversee and identify cybersecurity risks associated with its use of third-party service providers; the business continuity, contingency and recovery plans in place; and how cybersecurity risks are considered as part of the registrant’s business strategy, financial planning and capital allocation.
- Disclosure of the issuer’s board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
- Annual reporting or certain proxy disclosures about whether any member of the board of directors possesses cybersecurity expertise.
The intent of these proposed amendments is to inform investors better about a registrant’s risk management, strategy and governance and to provide timely notification of material cybersecurity incidents. The amendments also apply to foreign private issuers and add “cybersecurity incidents” as a reporting topic.
Read the full flash report here.