Flash Report – SEC Cybersecurity Disclosure Enhancements: They’re Coming, in One Form or Another

Three months ago, the U.S. Securities and Exchange Commission (SEC) proposed amendments to its rules on cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. The SEC’s view is that cybersecurity threats and incidents pose an ongoing threat to public companies, investors and market participants, as evidenced by the growing number and greater frequency of occurrences of cyber attacks being launched by cyber criminals who are using increasingly sophisticated methods.

The comment period on the proposal ended on May 9. Some 139 comment letters from companies, law firms, associations and other stakeholders were received. This Flash Report provides a synopsis of the comments received and offers a perspective on what companies should be doing as they prepare for the inevitable release of the SEC’s updated requirements.

The SEC proposal: An overview

The proposed amendments would require, among other things:

  • Reporting of a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident. (Note: For purposes of the proposed cybersecurity incidents disclosure, “materiality” would be evaluated consistent with precedents set forth in judicial decisions, e.g., information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the total mix of information available.”
  • Reporting of material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, including any material impact on the issuer’s current and future operations and financial condition, whether the registrant has remediated or is currently remediating the incident, and any changes in the registrant’s policies and procedures as a result of the incident.
  • Reporting of cybersecurity incidents that have become material in the aggregate.
  • Disclosure of the company’s policies and procedures to identify and manage cybersecurity risks; the extent to which it engages third parties in its cyber risk assessment program; policies and procedures to oversee and identify cybersecurity risks associated with its use of third-party service providers; the business continuity, contingency and recovery plans in place; and how cybersecurity risks are considered as part of the registrant’s business strategy, financial planning and capital allocation.
  • Disclosure of the issuer’s board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
  • Annual reporting or certain proxy disclosures about whether any member of the board of directors possesses cybersecurity expertise.

The intent of these proposed amendments is to inform investors better about a registrant’s risk management, strategy and governance and to provide timely notification of material cybersecurity incidents. The amendments also apply to foreign private issuers and add “cybersecurity incidents” as a reporting topic.

Read the full flash report here.

Technology Insights

Subscribe to Topics

Technology alone won't transform your business. At Protiviti, we believe when the right people team up, everything is possible. Let's transform together. http://ow.ly/9gVI50Kljvf

#ProtivitiTech #technology #transformation #consulting

Increased spending doesn’t translate into a stronger, more resilient cybersecurity posture. Spend four minutes with Protiviti’s Natalie Fedyuk to learn why integration has never been more critical. http://ow.ly/n6XJ50KknER

#ProtivitiTech #TechnologyInsights #Microsoft #Security

Join Protiviti’s Kelsey Dario for a speaker session discussing how to set the right expectations when looking to achieve business objectives with technology. Sign-up now: http://ow.ly/h7cR50Kb9ol

#ProtivitiTech #DigitalTransformation #BusinessObjectives #IIA

Can using trapped ions as qubits yield the most powerful quantum computers on the planet? Join host @KonstantHacker for a chat about trapped ions and the creation of @IonQ_Inc with industry pioneer Chris Monroe: http://ow.ly/Ezfm50KhZJt

#ProtivitiTech #QuantumComputing #PQW #Atom

A recent Gallup poll showed majorities of Americans across party lines now think the government should increase its regulation of big tech companies. Read how tech companies can prepare for regulatory changes: http://ow.ly/P0U250KgTaC

#ProtivitiTech #WhitePaper #Equilibrium

Load More