New SEC Rules Propose Public Companies Disclose More Cybersecurity Risk Management Practices and Incident Info

On Wednesday, the Securities and Exchange Commission (SEC) announced that it proposed new rules changing the way registered companies report cybersecurity incidents as well as their cyber risk management strategies. The proposed rules aim to better inform investors about a registrant’s risk preparedness and to provide timely notification of cybersecurity incidents in view of underreporting and untimely reporting concerns, the agency said.

With regard to breaches and other hacks, the SEC’s proposed amendments would require companies to disclose “material” cybersecurity incidents on Form 8-K within four business days after adjudging the incident serious enough to disclose. 

“[R]egistrants would need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material,” the proposed rules explained. Further, such disclosure would have to specify the nature of the incident, whether it is ongoing, if data was stolen or otherwise manipulated, the impact on the company, and remedial efforts, if any.

Other rule changes include upfront explanation about measures currently in place to detect, thwart, and address cyber threats. The proposed rules noted that in 2021, some registrants provided only “general disclosures, such as a reference to cybersecurity as one of the risks overseen by the board or a board committee.” In view of these vague representations, the SEC seeks to implement “more consistent and informative disclosure regarding their cybersecurity risk management and strategy.” 

In closing, the SEC expressed its belief that the mandates would benefit investors by providing greater transparency. The agency is soliciting public comment on the proposed rules prior to finalization.