On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed amendments to rules to expand and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed rules respond to investor concerns related to the growing prevalence of cybersecurity incidents, the increasingly sophisticated methods of cyber criminals in executing their attacks, and the susceptibility of public companies of all sizes operating in all industries to cybersecurity incidents that can stem from intentional or unintentional acts. Public companies should examine their current cybersecurity-related policies to identify any gaps between existing policies and the proposed regulations. If there are any gaps, public companies should establish clear policies and procedures related to cybersecurity incident detection and reporting to comply with the new requirements.
The proposed amendments would require current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, among other things. The proposal also requires periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risk, the board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. Further, the proposal requires annual reporting or proxy statement disclosure about the board of directors’ cybersecurity expertise, if any.
Incident Reporting on Form 8-K
In particular, a new Item 1.05 would be added to Form 8-K requiring current reporting of material cybersecurity incidents within four business days thereof. The trigger date for the disclosure requirement is the date of the materiality determination, rather than the date of discovery of the incident. Required disclosure includes:
- when the incident was discovered and whether it is ongoing;
- a brief description of the nature and scope of the incident;
- whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
- the effect of the incident on the issuer’s operations; and
- whether the issuer has remediated or is currently remediating the incident.
Notably, an untimely Item 1.05 Form 8-K would not result in the loss of Form S-3 eligibility and would be covered by the safe harbor for Section 10(b) and Rule 10b-5 liability.
Periodic Reporting of Cybersecurity Updates and Director Expertise
Additionally, a new Item 106(d) of Regulation S-K would be added by the proposed amendments requiring periodic reporting of material changes, additions, or updates to information required to be disclosed pursuant to new Item 1.05 of Form 8-K for the covered period in which the material change, addition, or update occurred. Item 106(d) would also require companies to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents becomes material in the aggregate. Proposed Item 106(d) also includes disclosure requirements of the companies cybersecurity risks, threats, risk management, strategy and governance related thereto.
Finally, proposed Item 407(j) of Regulation S-K would require companies to annually disclose cybersecurity expertise of directors of the company, if any. Cybersecurity expertise would remain undefined but the proposed rule would introduce criteria relevant for the determination, such as whether the director has work experience in cybersecurity, whether they director obtained a certificate or degree in cybersecurity, and whether the director has knowledge, skills or other background in cybersecurity. Any identified cybersecurity experts would have the safe harbor used for ‘audit committee financial experts’ for purposes of Section 11 liability.
The proposal passed on party lines and the comment period ends on the later of 30 days after publication in the Federal Register or May 9, 2022.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
© 2023 Keating Muething & Klekamp PLL. All Rights Reserved
Jim Kennedy practices in the Business Representation & Transactions Group. The focus of his practice is corporate, securities, and financing law, where he has extensive experience in mergers, acquisitions and ...
Mark Reuter advocates for business clients in transactions, proceedings and conflicts regulated by federal and state securities laws and stock exchange rules. A partner in the firm’s Business Representation & Transaction ...
As a partner in the firm’s Business Representation & Transactions Group, Allie Westfall’s insight and proven analytical skills help translate the complexities of the often-challenging securities laws. Allie’s counsel ...
Chris Brinkman practices in the firm's Business Representation & Transactions Group with a concentration in venture capital transactions, start-ups & growth companies, securities, and mergers and acquisitions.
Michael Goldman counsels businesses and investors on a broad range of general corporate transactions, with a particular focus on the sports and entertainment industry and commercial transactions involving technology ...
- Securities Law
- Securities Regulation
- Corporate Transparency Act
- Corporate Law
- Clawback Rules
- SEC Enforcement
- Cybersecurity and Privacy Law
- Mergers & Acquisitions
- Tax Planning
- Economic Sanctions
- Paycheck Protection Program
- Ohio LLC Act
- Corporate Tax
- JOBS Act
- FAST Act
- Corporate Governance
- Proxy Access Rules
- Securities Litigation
- Consumer Protection Act
- Cybersecurity Regulation
- Conflict Minerals
- Real Estate Law
- Emerging Growth Companies
- Pay Ratio Disclosure
- Private Offerings
- Intellectual Property
- Opportunity Zone
- Accredited Investors
- Sales Tax
- United States Supreme Court
- Executive Compensation
- Health Care Act
- Online Trading Platforms
- Registration Statement
- Wall Street Reform
- Annual Reports
- Ohio Foreclosure Reform
- Director Compensation
- Family-Controlled Entities
- Gift and Estate Transfers
- Board of Directors
- Director Independence
- Cyber Insurance
- Data Breach
- Regulation A
- Regulation D
- Total Shareholder Return
- Receivership Statute
- Compensation Committee Certification
- CDFI Fund
- Community Development Entities
- Community Development Financial Institutions Fund
- Government Shutdown
- New Markets Tax Credit
- NMTC Financing
- Regulation Fair Disclosure
- Social Media
- Healthcare Reform
- Public Company Transition Rules
- Employment Incentives
- HIRE Act
- Social Security Tax
- Tax Credit
- FinCEN Extends the Corporate Transparency Act Reporting Deadline for Newly Created Entities
- SEC Postpones Share Repurchase Modernization Disclosure Rules
- Effective Date of SEC Clawback Rule Finally In Sight
- SEC Sued Over Newly Adopted Share Repurchase Rules
- SEC Extends Period to Act on Exchange Clawback Rules
- SEC Charges Public Company for Misleading Non-GAAP Disclosures
- NYSE and Nasdaq Propose Clawback Listing Standards: What You Need to Know
- Corporate Transparency Act Update – FinCEN Issues Notice of Proposed Rulemaking
- SEC Amends Insider Trading Rules: New Conditions, Requirements, and Related Disclosures
- SEC Reopens Comment Period for 11 Proposed Rules Due to Technological Error