In March 2022, the Securities and Exchange Commission proposed rules requiring public companies to report material cybersecurity incidents within four business days after a determination that this had occurred. https://www.sec.gov/rules/proposed/2022/33-11038.pdf.
The proposed rules require, , current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal would require annual reporting or certain proxy disclosure about the board of directors cybersecurity expertise, if any.
More specifically, the rules require the following;
The proposal requires companies to disclose any policies and procedures they have adopted to identify and manage cybersecurity risks and threats, including (1) operational risk; (2) intellectual property theft; (3) fraud; (4) extortion; (5) harm to employees or customers; (6) violation of privacy laws and other litigation and legal risk; and (7) reputational risk. Items that would require disclosure include whether:
In addition, the proposed rules would require disclosure of a company’s cybersecurity governance at the board and management levels.
Notably, the SEC specified that any director(s) with cybersecurity expertise will not formally be deemed an “expert,” nor would they inherit any additional duties, obligations, or liability.
The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.
The agency also published a critical fact sheet that expanded on the requirements for public companies.https://www.sec.gov/files/33-11038-fact-sheet.pdf In addition, they require periodic updates of the reported incidents and the cybersecurity governance and expertise on the board of directors. The final regulations are expected to issue in April of this year. The SEC will also issue proposed regulations on registered brokers and dealers requiring disclosure of cybersecurity risks. The Cyber Incident Reporting for Critical Infrastructure Act of 2022, nestled within the Consolidated Appropriations Act of 2022, was signed into law by President Biden on March 15. It’s a step forward from today’s ad hoc, industry-specific guidance for voluntary disclosures by companies that have experienced cyber-attacks. Entities in 16 critical infrastructures defined in Presidential Policy Directive 21, including financial services, information technology, energy, healthcare and public health, food and agriculture, critical manufacturing, chemicals, communications, defense industrial base, emergency services, etc. (“covered entity”).
Various American businesses will be affected. Consider the new reporting requirement alongside the effective ways you get government assistance on cyber incidents today. Make no mistake: The requirement to report within 72 hours of a significant cyber incident should not stop you from working with your partners in government to get the help you need more quickly.
Jeffrey Newman is a whistleblower lawyer who can be reached at 617-823-3217 or Jeffrey.newman1@gmail.com
