Everything You Need to Know About the Proposed SEC Cybersecurity Reporting Requirements
Blog Article Published: 06/09/2023
Originally published by BARR Advisory.
Written by Claire McKenna.
Last year, the Securities and Exchange Commission (SEC) proposed new rules to enhance and standardize cybersecurity risk management, strategy, governance, and incident reporting disclosure practices by public companies and other market entities.
The proposed rules could have a sweeping impact on all public companies that are subject to the Securities Exchange Act of 1934. Let’s take a closer look at what the proposed rules include.
The proposed rules would require public companies to disclose information about a material cybersecurity incident within four business days after determining an incident occurred. This includes information such as when the incident was discovered, whether it has been resolved, what the scope of the incident includes, and whether or not any data was compromised as a result of the incident. Companies will also be required to provide updates on previously disclosed cybersecurity incidents.
But what constitutes a material incident? According to the SEC, “information is defined as material if there is a substantial likelihood that a reasonable shareholder would consider it important in an investment decision.”
When determining the materiality of an incident, public companies will need to consider:
- Whether or not data was compromised;
- Whether or not the company’s policies and procedures were violated;
- Whether or not access to data changed following the incident;
- Whether or not a malicious actor gained access to data, threatened the organization, and/or demanded payment.
To determine whether an incident is material or not, I recommend working with a dedicated cybersecurity partner to assist with the potential disclosure.
Risk Management, Strategy, and Governance Disclosure
In addition to requiring incident reporting, the proposed rules will also require public companies to periodically report on their risk management, strategy, and governance. This includes reporting on the company’s cybersecurity policies and procedures, the role of management on implementing said policies and procedures, and cybersecurity expertise at the board level.
Given the financial impact that cybersecurity risks and incidents can have, the proposed rules are intended to allow investors in a publicly traded company to understand the company’s risk management, strategy, and cybersecurity practices and better inform their investment decisions.
“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” stated SEC Chair Gary Genslinger.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.