SEC proposes to enhance cybersecurity disclosures


The SEC issued a Proposed Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, to enhance and standardize cybersecurity disclosures for public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The proposal is intended to improve the disclosures about a registrant’s risk management, strategy, and governance, as well as to provide timely notification of material cybersecurity incidents. The Proposed Rule would also require the disclosures to be presented in Inline XBRL format.


The comment period ends on the later of 30 days after the Proposed Rule is published in the Federal Register or May 9.




Incident disclosure


The proposed amendments would require current and periodic reporting about material cybersecurity incidents as follows:

  • Current reporting on Form 8-K: A registrant would be required to disclose information about the incident within four business days after the registrant determines that it has experienced such incident.
  • Periodic reporting: A registrant would be required to provide updated disclosure relating to previously disclosed incidents as well as disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial incidents have become material in aggregate.

The proposal would further amend Form 6-K to add “cybersecurity incidents” as a reporting topic.




Risk management, strategy, and governance disclosure


The proposal would require a registrant to disclose the following in its periodic reports:

  • Policies and procedures for the identification and management of risks from cybersecurity threats;
  • The board of directors’ oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk; and
  • Management’s role and expertise in implementing the respective policies, procedures, and strategies.

To the extent that any member of the board has cybersecurity expertise, the proposal would require a registrant to identify the name(s) of any such director(s) and any details necessary to fully describe the nature of the expertise in annual reports and certain proxy filings.



Grant Thornton insight

While this proposal is pending comments and further SEC action, we encourage registrants to continue reviewing their cybersecurity disclosures in light of the existing guidance, including the 2011 Division of Corporation Finance’s Disclosure Guidance, Topic No. 2: “Cybersecurity,” and the Interpretive Release, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, issued in 2018.




© 2022 Grant Thornton LLP, U.S. member firm of Grant Thornton International Ltd. All rights reserved.

This Grant Thornton LLP bulletin provides information and comments on current accounting issues and developments. It is not a comprehensive analysis of the subject matter covered and is not intended to provide accounting or other advice or guidance with respect to the matters addressed in the bulletin. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this bulletin. For additional information on topics covered in this bulletin, contact your Grant Thornton LLP professional.


More snapshots