On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed amendments to rules to expand and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed rules respond to investor concerns related to the growing prevalence of cybersecurity incidents, the increasingly sophisticated methods of cyber criminals in executing their attacks, and the susceptibility of public companies of all sizes operating in all industries to cybersecurity incidents that can stem from intentional or unintentional acts. Public companies should examine their current cybersecurity-related policies to identify any gaps between existing policies and the proposed regulations. If there are any gaps, public companies should establish clear policies and procedures related to cybersecurity incident detection and reporting to comply with the new requirements.
The proposed amendments would require current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, among other things. The proposal also requires periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risk, the board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. Further, the proposal requires annual reporting or proxy statement disclosure about the board of directors’ cybersecurity expertise, if any.
Incident Reporting on Form 8-K
In particular, a new Item 1.05 would be added to Form 8-K requiring current reporting of material cybersecurity incidents within four business days thereof. The trigger date for the disclosure requirement is the date of the materiality determination, rather than the date of discovery of the incident. Required disclosure includes:
- when the incident was discovered and whether it is ongoing;
- a brief description of the nature and scope of the incident;
- whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
- the effect of the incident on the issuer’s operations; and
- whether the issuer has remediated or is currently remediating the incident.
Notably, an untimely Item 1.05 Form 8-K would not result in the loss of Form S-3 eligibility and would be covered by the safe harbor for Section 10(b) and Rule 10b-5 liability.
Periodic Reporting of Cybersecurity Updates and Director Expertise
Additionally, a new Item 106(d) of Regulation S-K would be added by the proposed amendments requiring periodic reporting of material changes, additions, or updates to information required to be disclosed pursuant to new Item 1.05 of Form 8-K for the covered period in which the material change, addition, or update occurred. Item 106(d) would also require companies to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents becomes material in the aggregate. Proposed Item 106(d) also includes disclosure requirements of the companies cybersecurity risks, threats, risk management, strategy and governance related thereto.
Finally, proposed Item 407(j) of Regulation S-K would require companies to annually disclose cybersecurity expertise of directors of the company, if any. Cybersecurity expertise would remain undefined but the proposed rule would introduce criteria relevant for the determination, such as whether the director has work experience in cybersecurity, whether they director obtained a certificate or degree in cybersecurity, and whether the director has knowledge, skills or other background in cybersecurity. Any identified cybersecurity experts would have the safe harbor used for ‘audit committee financial experts’ for purposes of Section 11 liability.
The proposal passed on party lines and the comment period ends on the later of 30 days after publication in the Federal Register or May 9, 2022.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
ADVERTISING MATERIAL.
© 2024 Keating Muething & Klekamp PLL. All Rights Reserved
- Partner
Mark Reuter advocates for business clients in transactions, proceedings and conflicts regulated by federal and state securities laws and stock exchange rules. A partner in the firm’s Business Representation & Transactions ...
- Partner
As a partner in the firm’s Business Representation & Transactions Group, Allie Westfall’s insight and proven analytical skills help translate the complexities of the often-challenging securities laws. Allie’s counsel ...
- Partner
Chris Brinkman practices in the firm's Business Representation & Transactions Group with a concentration in venture capital transactions, start-ups & growth companies, securities, and mergers and acquisitions.
Chris ...
- Associate
Michael Goldman counsels businesses and investors on a broad range of general corporate transactions, with a particular focus on the sports and entertainment industry and commercial transactions involving technology ...
Topics/Tags
Select- Securities Law
- SEC
- Corporate Transparency Act
- Nasdaq
- Cybersecurity and Privacy Law
- Securities Regulation
- Cybersecurity Regulation
- Corporate Law
- IRS
- Tax Planning
- Coronavirus
- Clawback Rules
- SEC Enforcement
- Taxation
- Dodd-Frank
- Mergers & Acquisitions
- Paycheck Protection Program
- JOBS Act
- Corporate Tax
- Economic Sanctions
- FAST Act
- Ohio LLC Act
- Corporate Governance
- Consumer Protection Act
- Proxy Access Rules
- Securities Litigation
- Crowdfunding
- Conflict Minerals
- Cryptocurrency
- Hedging
- Real Estate Law
- Emerging Growth Companies
- Investors
- Pay Ratio Disclosure
- Whistleblower
- Private Offerings
- Intellectual Property
- Technology
- Opportunity Zone
- LIBOR
- Executive Compensation
- Health Care Act
- Accredited Investors
- Sales Tax
- United States Supreme Court
- Online Trading Platforms
- Wall Street Reform
- IPO
- Registration Statement
- Annual Reports
- Family-Controlled Entities
- Gift and Estate Transfers
- Ohio Foreclosure Reform
- Director Compensation
- Board of Directors
- Director Independence
- Cyber Insurance
- Data Breach
- Lenders
- Receivership Statute
- Regulation A
- Regulation D
- Total Shareholder Return
- Compensation Committee Certification
- CDEs
- CDFI Fund
- Community Development Entities
- Community Development Financial Institutions Fund
- Government Shutdown
- New Markets Tax Credit
- NMTC
- NMTC Financing
- Regulation Fair Disclosure
- Social Media
- Benefits
- Healthcare Reform
- Litigation
- Marketing
- Public Company Transition Rules
- Employment Incentives
- HIRE Act
- Social Security Tax
- Tax Credit
Recent Posts
- Corporate Transparency Act Updates: Fifth Circuit Vacates the Stay and Preliminary Injunction Reinstated
- Corporate Transparency Act Reporting Deadline Back in Effect; FinCEN Grants Deadline Extension
- Fifth Circuit Nixes Nasdaq Board Diversity Rules
- Corporate Transparency Act Update: Texas Federal Court Issues Nationwide Injunction
- SEC Fines Four Companies $7M for Violating Cyber Disclosure Rules
- FinCEN Issues Additional Guidance for Reporting Companies on Dissolved Entities
- Division of Corporation Finance Director Statement: The State of Disclosure Review
- FinCEN Issues Additional Guidance for HOAs and Trusts under the Corporate Transparency Act
- SEC Wins ‘Shadow Insider Trading’ Trial
- SEC Voluntarily Stays Climate Rules