SEC Proposal on Cybersecurity Rule

SEC Proposal on Cybersecurity Rule

On March 9, 2022, the Securities and Exchange Commission (SEC) released a proposal to mandate cybersecurity disclosures by public companies.  If this proposal is adopted it would strengthen an investors’ ability to evaluate public companies’ cybersecurity protocol and incident reporting.

The SEC has been requiring disclosure of important information from companies since the Great Depression. The basic premise being that Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.  Throughout the years disclosure needs have morphed to reflect evolving risks and investor needs.  With changing technology, cybersecurity has become a risk that public companies have had to contend with at a growing rate, and investors want to know more about how issuers are managing those risks.

While many issuers already provide cybersecurity disclosure, if this information were required in a consistent and comparable manner the current proposal would benefit both companies and investors in two key ways:

First, it would require mandatory, ongoing disclosures on how a company governs their risk management and strategy in regard to cybersecurity risks. Thus allowing investors to assess these risks more effectively. Under the proposed rules, companies would disclose information such as: management’s and the board’s role and oversight of cybersecurity risks, whether companies have cybersecurity policies and procedures and how cybersecurity risks and incidents are likely to impact the company’s financials

Second, it would require mandatory cybersecurity incident reporting. This reporting is critical because past cybersecurity incidents could affect investors’ decision-making surrounding possible risks of investing. When companies have an obligation to disclose incident information to investors, they must be complete, accurate and timely. The proposal would specify when and what information about cybersecurity incidents companies must disclose in a current report, such as on Form 8-K. It also would require updates in periodic reports to give investors more complete information on previously disclosed, material cybersecurity incidents.

Contact our regulatory experts today to learn more about how we can help you with any of your SEC filing needs.