The SEC issued a Proposed Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, to enhance and standardize cybersecurity disclosures for public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The proposal is intended to improve the disclosures about a registrant’s risk management, strategy, and governance, as well as to provide timely notification of material cybersecurity incidents. The Proposed Rule would also require the disclosures to be presented in Inline XBRL format.
The comment period ends on the later of 30 days after the Proposed Rule is published in the Federal Register or May 9.
The proposed amendments would require current and periodic reporting about material cybersecurity incidents as follows:
- Current reporting on Form 8-K: A registrant would be required to disclose information about the incident within four business days after the registrant determines that it has experienced such incident.
- Periodic reporting: A registrant would be required to provide updated disclosure relating to previously disclosed incidents as well as disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial incidents have become material in aggregate.
The proposal would further amend Form 6-K to add “cybersecurity incidents” as a reporting topic.
Risk management, strategy, and governance disclosure
The proposal would require a registrant to disclose the following in its periodic reports:
- Policies and procedures for the identification and management of risks from cybersecurity threats;
- The board of directors’ oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk; and
- Management’s role and expertise in implementing the respective policies, procedures, and strategies.
To the extent that any member of the board has cybersecurity expertise, the proposal would require a registrant to identify the name(s) of any such director(s) and any details necessary to fully describe the nature of the expertise in annual reports and certain proxy filings.