Flash Report – SEC Cybersecurity Disclosure Enhancements: They’re Coming, in One Form or Another

Three months ago, the U.S. Securities and Exchange Commission (SEC) proposed amendments to its rules on cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. The SEC’s view is that cybersecurity threats and incidents pose an ongoing threat to public companies, investors and market participants, as evidenced by the growing number and greater frequency of occurrences of cyber attacks being launched by cyber criminals who are using increasingly sophisticated methods.

The comment period on the proposal ended on May 9. Some 139 comment letters from companies, law firms, associations and other stakeholders were received. This Flash Report provides a synopsis of the comments received and offers a perspective on what companies should be doing as they prepare for the inevitable release of the SEC’s updated requirements.

The SEC proposal: An overview

The proposed amendments would require, among other things:

  • Reporting of a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident. (Note: For purposes of the proposed cybersecurity incidents disclosure, “materiality” would be evaluated consistent with precedents set forth in judicial decisions, e.g., information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the total mix of information available.”
  • Reporting of material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, including any material impact on the issuer’s current and future operations and financial condition, whether the registrant has remediated or is currently remediating the incident, and any changes in the registrant’s policies and procedures as a result of the incident.
  • Reporting of cybersecurity incidents that have become material in the aggregate.
  • Disclosure of the company’s policies and procedures to identify and manage cybersecurity risks; the extent to which it engages third parties in its cyber risk assessment program; policies and procedures to oversee and identify cybersecurity risks associated with its use of third-party service providers; the business continuity, contingency and recovery plans in place; and how cybersecurity risks are considered as part of the registrant’s business strategy, financial planning and capital allocation.
  • Disclosure of the issuer’s board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
  • Annual reporting or certain proxy disclosures about whether any member of the board of directors possesses cybersecurity expertise.

The intent of these proposed amendments is to inform investors better about a registrant’s risk management, strategy and governance and to provide timely notification of material cybersecurity incidents. The amendments also apply to foreign private issuers and add “cybersecurity incidents” as a reporting topic.

Read the full flash report here.

Technology Insights

Subscribe to Topics

Join #ProtivitiTech for #Pathlock’s #SAP #Innovation Days, where our experts will host a speaking session dedicated to helping address the most critical #security and #compliance issues facing your business applications. Register now! http://ow.ly/Q4NJ50Lri0L?

Protiviti is proud to be a sponsor of the Microsoft 365 Conference. Stop by Booth 415 or attend our sessions to learn about our Microsoft Solutions from our MVPs and experts! http://ow.ly/tMIs50LPnPL

#ProtivitiTech #Microsoft #Microsoft365 #M365Conf

In 'Welcome to the Augmented Future: The Metaverse and Business,' learn how to articulate what the metaverse is and how to use it as part of a broader organizational innovation agenda. Register now: http://ow.ly/X2KH50LILOa

#ProtivitiTech #metaverse #aumentedreality #innovation

#Technology is an enabler of innovation that drives growth, efficiency, and improved customer experience. Take the #ProtivitiTech #IT survey to share how you, as an IT leader, view and manage #innovation at your company amid #technicaldebt. http://ow.ly/1oxK50LRvJo

Learn how Protiviti helped a U.S. energy leader undertake a successful divestiture through a strong program management office while maintaining data security. http://ow.ly/VjeH50LeAQL

#ProtivitiTech #ProtivitiClientStory #programmanagement #PMO #datasecurity

Load More