Proposed SEC Rule Tells Corporates to Step Up Their Cybersecurity Game

Written By Elizabeth Saunders, Partner

March 18, 2022

Written by the Clermont Partners ESG Team

The SEC’s proposed rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure will amend the current interpretive guidance regarding disclosure of cybersecurity risks and incidents that were originally issued in 2011 and enhanced in 2018. Below is an abridged look at notable issues. 

Companies will be required to disclose material cybersecurity incidents within four business days 

The proposed rule will require SEC-registered companies to disclose the below information in an 8-K filing within four business days after a company determines the cybersecurity incident is material:  

  • Timing of the discovery and if the incident is ongoing 
  • A description of the incident, including type and scope 
  • If data was stolen, altered, accessed, or used for any unauthorized purpose 
  • How the company’s operations have been affected 
  • If the company has remediated the incident or is currently in the process of remediation 

Companies need to provide updates within their 10-Q or 10-K 

Companies disclosing within an 8-K then also will be required to disclose any material updates regarding reported incidents within the next 10-Q or 10-K, including if single immaterial incidents become collectively material. 

Companies will need to disclose their Cybersecurity oversight and requires Board expertise 

The proposed rule requires companies disclose their cybersecurity risk management, strategy, and governance and related policies/procedures. Oversight by executive management and the Board of Directors, whether full board or committee, disclosure will require including how and how frequently cybersecurity risks are discussed. Further, the Board will be required to identify cybersecurity expertise and provide details to support expertise.   

Rule status 

The proposed rule is within its 30-day comment period, ending May 8th, and the final rule should soon follow.  

Implication to corporates 

This proposed rule is likely to prompt action from nearly all corporate issuers, in some degree. Below are the steps corporates issuers should consider in preparing for these changes: 

Define materiality. Companies should begin setting internally-defined parameters identifying a material cybersecurity incident. The internal process should note that the proposed rule includes a consideration of combined immaterial cybersecurity incidents potentially rising to the level of material when viewed together over time. This should be done with input from various stakeholders, including investors.  

Set protocols. With the short window in the proposed rule, it is a good time to conduct an audit of your data privacy and security policies and set new alerts to material incident and design response protocols to be prepared ahead of an incident. 

Prepare for more disclosure in your 10-K. While cyber-related reporting is already required by the SEC, companies will likely be required to disclose more nuanced cybersecurity-related processes, such as those related to the controls, reporting process and remediation procedures. 

Identify a cyber-savvy board member and management. If not already identified, cybersecurity expertise on the board should be top priority. Be ready to share their expertise and management responsibility for oversight of process and risk mitigation.  

Foreign private issuers should look more closely. Proposed rules apply to foreign private issuers, including the requirement to report cybersecurity incidents and annual reporting of cyber-related procedures in place. 

If you have any questions on the proposed rules or want to ensure your cybersecurity disclosures will meet the new requirements, reach out and learn how Clermont Partners can help.

Back To Blog