One month after it issued proposed regulations related to the cybersecurity policies of registered investment advisers and fund companies, the U.S. Securities and Exchange Commission has issued a second proposal related to the cybersecurity standards and disclosures of publicly traded companies.
Specifically, the SEC is proposing amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” says SEC Chair Gary Gensler in a press release announcing the proposal. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
According to Gensler, the proposed amendments would require, among other things, current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ degree of oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
The proposal would further require annual reporting and certain proxy disclosures about a public company’s board of directors’ cybersecurity expertise. The SEC’s leadership says the proposed amendments are intended to better inform investors about a registrant’s risk management, strategy and governance and to provide timely notification to investors of material cybersecurity incidents.
Among the changes highlighted are planned amendments to the Form 8-K that would require registrants to disclose information about a material cybersecurity incident within four business days after it is determined one occurred. The proposal would also add a new Item 106(d) of Regulation S-K and a new Item 16J(d) of Form 20-F, requiring that registrants provide updated disclosure relating to previously disclosed cybersecurity incidents and requiring disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.
In addition to incident reporting, the SEC is proposing to require enhanced and standardized disclosures on registrants’ cybersecurity risk management, strategy and governance. Specifically, the proposal would require registrants to describe their policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning and capital allocation.
Par for the course, the comment period will remain open for 60 days following publication of the proposal on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
These regulatory actions come as the SEC—like many other regulators—ramps up its focus on cybersecurity issues. In fact, for several years, the SEC has specifically identified on its annual priorities list such a focus on cybersecurity.
The list warns that the SEC’s enforcement division will “continue to evaluate whether regulated entities have established, maintained and enforced written cybersecurity policies and procedures as required.” The priorities list indicates areas of focus will include information technology governance, IT asset management, cyber threat management/incident response, business continuity planning and third-party vendor management, including utilization of cloud services.
Demonstrating its resolve, last year, the SEC announced a series of sanctions against eight registered advisory firms for failures in their cybersecurity policies and procedures that resulted in what the agency describes as “email account takeovers” which exposed the personal information of thousands of customers and clients at each firm.