The SEC’s Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Posted on

By: Irfan M. Dinani, Esq., and Brett J. Warren, Esq.

Over 100 years ago, Supreme Court Justice Louis Brandeis penned his famous statement that “Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.” Apropos to that, in an effort to bolster the investing public’s accessibility to reporting companies’ (registrants) information, the U.S. Securities Exchange Commission (“SEC”) recently issued for public review and comment proposed rulemaking regarding disclosures relating to cybersecurity incidents, risk management, governance and strategy under both the Securities Act of 1933 and the Securities Exchange Act of 1934 (the “Proposed Rules”).[1]

Cybersecurity risks and threats have increased with the rise of a more digitally connected world due to: “the digitalization of registrants’ operations; the prevalence of remote work, which has become even more widespread because of the COVID-19 pandemic; the ability of cyber-criminals to monetize cybersecurity incidents, such as through ransomware, black markets for stolen data, and the use of crypto-assets for such transactions; the growth of digital payments; and increasing company reliance on third party service providers for information technology services, including cloud computing technology.”[2] The impacts on the economy, investors, and registrants are numerous and extensive. Concerned about the possible impact on a public company’s financial performance because of the inconsistent and untimely disclosure of material cybersecurity incidents, and the benefit to investors from public companies’ enhanced and frequent disclosure of whether and how cybersecurity risks, strategies and governance initiatives are managed,[3] the SEC issued the Proposed Rules on March 9, 2022.

Because of the disparate and inconsistent treatment – notably under- and untimely reporting – and the different disclosure forms used by registrants to report cybersecurity incidents and their concomitant risks, the Proposed Rules seek to enhance and standardize reporting requirements via the following amendments to:

  • Current Report on Form 8-K – requires a registrant to disclose within four (4) days after its determination that it has experienced a material cybersecurity incident.[4]
  • Quarterly Report on Form 10-Q and Annual Report on Form 10-K – requires a registrant to issue updated disclosures on previously disclosed cybersecurity incidents, and to disclose when a series of previously-undisclosed individually immaterial disclosures become material in the aggregate.[5]
  • Annual Report on Form 10-K – requires disclosures relating to, inter alia, the following: a registrant’s policies/procedures for identifying and managing cybersecurity risks, and the board’s oversight role relating thereto; cybersecurity governance; and, management’s role and relevant expertise in assessing/managing cybersecurity risks and implementing related policies, procedures, and strategies.[6]

In addition, the SEC also seeks to impose identical requirements on foreign issuers in their Annual Reports on Form 20-F and Interim Reports on Form 6-K.

Comments to the SEC’s Proposed Rules are due by May 9, 2022.

For more information or assistance with the SEC’s Proposed Rules on cybersecurity risk management and incident disclosure, please contact Irfan M. Dinani or Brett J. Warren.

Irfan is Counsel with Leech Tishman and a member of the Corporate and Real Estate Practice Groups. He is also a member of the Data Privacy & Cybersecurity Group, and leads the firm’s Emerging Cyber Technologies Group. Irfan is based in the Pittsburgh office and can be reached at 412.261.1600 or idinani@leechtishman.com.

Brett is an associate in Leech Tishman’s Corporate Practice Group, and is also a member of the Emerging Cyber Technologies Industry Group. Brett is based in the Pittsburgh office and can be reached at 412.261.1600 or bwarren@leechtishman.com.

 

Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman

Leech Tishman’s Twitter: https://twitter.com/LeechTishman

Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman

Leech Tishman Fuscaldo & Lampl is a full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, construction, emerging cyber technologies, energy & natural resources, healthcare, and hospitality industries. Headquartered in Pittsburgh, PA, Leech Tishman also has offices in Chicago, Los Angeles, New York, Philadelphia, Sarasota, and Washington, D.C.

 

[1] See SEC Release Nos. 33-11038; 34-94382; IC-34529; File No. S7-09-22 on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf.

[2] Id. at pp. 6-7.

[3] Id. at p. 11.

[4] See Proposed Item 1.05.

[5] See Proposed Item 106(d) of Regulation S-K.

[6] See Proposed Items 106(b), (c)(1) and (2), 106(d), and 407(j) of Regulation S-K.