On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed amendments to rules to expand and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed rules respond to investor concerns related to the growing prevalence of cybersecurity incidents, the increasingly sophisticated methods of cyber criminals in executing their attacks, and the susceptibility of public companies of all sizes operating in all industries to cybersecurity incidents that can stem from intentional or unintentional acts. Public companies should examine their current cybersecurity-related policies to identify any gaps between existing policies and the proposed regulations. If there are any gaps, public companies should establish clear policies and procedures related to cybersecurity incident detection and reporting to comply with the new requirements.
The proposed amendments would require current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, among other things. The proposal also requires periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risk, the board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. Further, the proposal requires annual reporting or proxy statement disclosure about the board of directors’ cybersecurity expertise, if any.
Incident Reporting on Form 8-K
In particular, a new Item 1.05 would be added to Form 8-K requiring current reporting of material cybersecurity incidents within four business days thereof. The trigger date for the disclosure requirement is the date of the materiality determination, rather than the date of discovery of the incident. Required disclosure includes:
- when the incident was discovered and whether it is ongoing;
- a brief description of the nature and scope of the incident;
- whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
- the effect of the incident on the issuer’s operations; and
- whether the issuer has remediated or is currently remediating the incident.
Notably, an untimely Item 1.05 Form 8-K would not result in the loss of Form S-3 eligibility and would be covered by the safe harbor for Section 10(b) and Rule 10b-5 liability.
Periodic Reporting of Cybersecurity Updates and Director Expertise
Additionally, a new Item 106(d) of Regulation S-K would be added by the proposed amendments requiring periodic reporting of material changes, additions, or updates to information required to be disclosed pursuant to new Item 1.05 of Form 8-K for the covered period in which the material change, addition, or update occurred. Item 106(d) would also require companies to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents becomes material in the aggregate. Proposed Item 106(d) also includes disclosure requirements of the companies cybersecurity risks, threats, risk management, strategy and governance related thereto.
Finally, proposed Item 407(j) of Regulation S-K would require companies to annually disclose cybersecurity expertise of directors of the company, if any. Cybersecurity expertise would remain undefined but the proposed rule would introduce criteria relevant for the determination, such as whether the director has work experience in cybersecurity, whether they director obtained a certificate or degree in cybersecurity, and whether the director has knowledge, skills or other background in cybersecurity. Any identified cybersecurity experts would have the safe harbor used for ‘audit committee financial experts’ for purposes of Section 11 liability.
The proposal passed on party lines and the comment period ends on the later of 30 days after publication in the Federal Register or May 9, 2022.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
© 2022 Keating Muething & Klekamp PLL. All Rights Reserved
Jim Kennedy practices in the Business Representation & Transactions Group. The focus of his practice is corporate, securities, and financing law, where he has extensive experience in mergers, acquisitions and ...
Mark Reuter advocates for business clients in transactions, proceedings and conflicts regulated by federal and state securities laws and stock exchange rules. A partner in the firm’s Business Representation & Transaction ...
As a partner in the firm’s Business Representation & Transactions Group, Allie Westfall’s insight and proven analytical skills help translate the complexities of the often-challenging securities laws. Allie’s counsel ...
Chris Brinkman practices in the firm's Business Representation & Transactions Group with a concentration in venture capital/private equity, start-ups & growth companies, securities, and mergers and acquisitions. Chris ...
Michael Goldman practices in the firm's Business Representation & Transactions Group, where he counsels individuals and businesses on broad range of general corporate, financial, and securities transactions.
Michael is also a ...
- Securities Law
- Securities Regulation
- Cybersecurity and Privacy Law
- Mergers & Acquisitions
- Corporate Law
- Economic Sanctions
- Ohio LLC Act
- Tax Planning
- Cybersecurity Regulation
- Corporate Tax
- Paycheck Protection Program
- JOBS Act
- FAST Act
- Proxy Access Rules
- Securities Litigation
- Corporate Governance
- Consumer Protection Act
- SEC Enforcement
- Conflict Minerals
- Real Estate Law
- Private Offerings
- Emerging Growth Companies
- Pay Ratio Disclosure
- Intellectual Property
- Opportunity Zone
- Accredited Investors
- Sales Tax
- United States Supreme Court
- Online Trading Platforms
- Health Care Act
- Executive Compensation
- Registration Statement
- Annual Reports
- Ohio Foreclosure Reform
- Family-Controlled Entities
- Gift and Estate Transfers
- Wall Street Reform
- Director Compensation
- Board of Directors
- Director Independence
- Clawback Rules
- Cyber Insurance
- Data Breach
- Regulation A
- Regulation D
- Total Shareholder Return
- Receivership Statute
- Compensation Committee Certification
- CDFI Fund
- Community Development Entities
- Community Development Financial Institutions Fund
- Government Shutdown
- New Markets Tax Credit
- NMTC Financing
- Regulation Fair Disclosure
- Social Media
- Healthcare Reform
- Public Company Transition Rules
- Employment Incentives
- HIRE Act
- Social Security Tax
- Tax Credit
- SEC Provides Sample Guidance on Disclosure of Russia-Ukraine Invasion
- Proposed SEC Climate-Related Disclosure Requirements
- Proposed SEC Cybersecurity Rules
- International Unrest and its Impact on M&A
- The United States Ramps Up Severe Economic Sanctions on Russia and Export Controls
- Revised Ohio LLC Statute
- Beware of ‘Spring-Loaded’ Awards: SEC Issues Updated Accounting Guidance
- SEC Opens Floodgates for ESG Proposals
- NYSE Proposes an Amendment to the Shareholder Voting Requirement
- SEC Charges Pearson plc for Misleading Investors About Cyber Breach and Inadequate Disclosure Controls