United States Securities And Exchange Commission Proposes New Cybersecurity Rules For Publicly Listed Companies

On March 9, 2022, the United States Securities and Exchange Commission (SEC) announced proposed rules that will mandate public companies to comply with a series of disclosure requirements relating to their response to cybersecurity incidents and management of cyber risks.

The proposed rules would require regulated companies to disclose information about a cybersecurity incident within four business days of determining that it was a material incident. The SEC advises that a company’s materiality analysis should not be a mechanical exercise or solely based on a quantitative analysis of the incident. Instead, companies should take on the perspective of a reasonable investor and “thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material.”

If a situation is determined to be material, the proposed rules would require companies to disclose the following information to the extent known:

1. when the incident was discovered and whether it is ongoing;
2. a brief description of the nature and scope of the incident;
3. whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
4. the effect of the incident on the company’s operations; and
5. whether the company has remediated or is currently remediating the incident. 

Furthermore, the proposed rules will implement ongoing disclosure requirements for regulated companies. This includes the requirement to provide updates in future reports filed with the SEC that detail any material facts uncovered after submission of the initial cybersecurity incident disclosure. Companies would also be required to disclose “when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.”

In addition to reporting on cyber incidents, the SEC’s proposed rules will require companies to make periodic disclosures about their internal policies, including:

• any policies and procedures for identifying and managing cybersecurity risks;
• the company’s cybersecurity governance framework, including the board of directors’  cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
• management’s role, and relevant expertise, in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies.

The SEC’s is accepting comments on its proposed rules until May 9, 2022. These comments can be submitted by email to rule-comment@sec.gov or through the following internet comment form: https://www.sec.gov/rules/submitcomments.htm. Public comments may also be mailed to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090. All submissions should refer to the File Number S7-09-22, which includes adding this number to the subject line of emails.

Summary By: Imtiaz Karamat