The SEC is considering a new rule to increase transparency and protect investors from cybersecurity threats. The new rule would make companies more accountable for cyber risks by requiring them to disclose the governance and management structure they have in place. This would include how well the board of directors oversees cybersecurity risks and how much expertise management has in the area. It would also require companies to disclose relevant policies and procedures. The proposed rule is still in its early stages, and it seeks public comments on whether cybersecurity should be defined and whether it should apply to all companies. It also includes provisions that would exempt certain categories of public companies from the proposed rule.
Disclosure of cybersecurity expertise of board of director members
The Securities and Exchange Commission (SEC) has proposed that companies disclose their board members’ cybersecurity expertise. While the proposed rule does not specify the criteria for cybersecurity expertise, it does provide a list of the relevant areas of expertise. Board members who do not have cybersecurity expertise will not be considered experts for Section 11 purposes. In addition, the disclosures must be tagged using XBRL.
The proposed rule requires public companies to disclose the names and skills of their board members who are knowledgeable about cybersecurity. This is important because it will force companies to seek out directors with more cybersecurity expertise. However, this may also expose companies that do not have cybersecurity expertise to increased scrutiny from shareholders, shareholder activism, and shareholder litigation.
The proposed rule also requires companies to regularly disclose their cybersecurity risk management policies. Companies should carefully consider how much information to disclose without jeopardizing their security programs. The rule also requires companies to maintain a strong internal and external audit program to ensure that their cybersecurity programs are up to code. By understanding cybersecurity risks, companies will be able to plan and prepare for meeting the new SEC disclosure requirements. This proposal does not change current governance structures, but it may require companies to change the way they communicate information about cybersecurity.
The proposed rule also mandates that boards assess the cybersecurity risk of a company. Boards must also disclose how much time they spend discussing cybersecurity issues in meetings.
Requirements for disclosure of material cybersecurity incidents
Companies need to determine the materiality of a cybersecurity incident as soon as possible. This requires collaboration between the company’s IT and legal departments. This collaboration needs to start before a cybersecurity incident occurs. If the incident is currently under investigation, the details of the disclosure may be affected by that investigation, but it cannot serve as an excuse to delay disclosure. Companies must balance the needs of the investigation with deadlines.
In addition to the timeliness of the proposed rules, the proposal aims to provide investors with more information about cybersecurity incidents. The proposed rules would also provide guidance to companies that may have failed to disclose a cybersecurity incident. In addition, the SEC has created a new cyber unit within its Enforcement Division to investigate cyber-incidents. The agency has also launched numerous enforcement actions involving cybersecurity incidents and inadequate disclosures and controls. The most recent proposed rule will address cybersecurity reporting by investment advisers and companies. It will require only material cybersecurity incidents to be disclosed.
The Proposed Rule requires registrants to disclose material cybersecurity incidents within four business days of discovering an incident. However, if an incident is more than one incident, the disclosure would have to be aggregated. This is because one incident may be immaterial, but several incidents over time can accumulate to make a large one. As a result, the disclosure should include the date the incident was discovered, the nature of the attack, the remediation process, and the status of the investigation.
The SEC held a comment period on its proposed cybersecurity rules. To see a copy of the proposed rule, click here. If you are concerned about cybersecurity disclosure, consider filing a comment before the deadline.
Comment period for proposed rule
The proposed rules would require issuers to attest to their cybersecurity expertise and competence. However, these proposed rules do not specifically address the question of whether an issuer should provide cybersecurity training to its employees. They also raise the issue of whether cybersecurity requirements should apply to service providers and technology suppliers. The authors of the rules ask whether these requirements are sufficiently robust.
The proposed rule would also require companies to disclose their cybersecurity policies and procedures on a regular basis. This will put a burden on companies, as they must carefully consider how much information they disclose. This proposal could also cause duplication and endanger cybersecurity programs. To avoid this, the SEC is seeking comment on the proposed rules.
The SEC intends to amend Item 407 of Regulation S-K to require companies to disclose the relevant cybersecurity expertise of their directors in their annual reports, proxy statements, and information statements. These documents will also include the names of the directors.