Proposed SEC Cybersecurity Rules

James C. Kennedy, F. Mark Reuter, Allison A. Westfall, Christopher S. Brinkman, Michael W. Goldman

On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed amendments to rules to expand and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed rules respond to investor concerns related to the growing prevalence of cybersecurity incidents, the increasingly sophisticated methods of cyber criminals in executing their attacks, and the susceptibility of public companies of all sizes operating in all industries to cybersecurity incidents that can stem from intentional or unintentional acts. Public companies should examine their current cybersecurity-related policies to identify any gaps between existing policies and the proposed regulations. If there are any gaps, public companies should establish clear policies and procedures related to cybersecurity incident detection and reporting to comply with the new requirements.

The proposed amendments would require current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, among other things. The proposal also requires periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risk, the board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. Further, the proposal requires annual reporting or proxy statement disclosure about the board of directors’ cybersecurity expertise, if any.

Incident Reporting on Form 8-K

In particular, a new Item 1.05 would be added to Form 8-K requiring current reporting of material cybersecurity incidents within four business days thereof. The trigger date for the disclosure requirement is the date of the materiality determination, rather than the date of discovery of the incident. Required disclosure includes:

  • when the incident was discovered and whether it is ongoing;
  • a brief description of the nature and scope of the incident;
  • whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
  • the effect of the incident on the issuer’s operations; and
  • whether the issuer has remediated or is currently remediating the incident.

Notably, an untimely Item 1.05 Form 8-K would not result in the loss of Form S-3 eligibility and would be covered by the safe harbor for Section 10(b) and Rule 10b-5 liability.

Periodic Reporting of Cybersecurity Updates and Director Expertise

Additionally, a new Item 106(d) of Regulation S-K would be added by the proposed amendments requiring periodic reporting of material changes, additions, or updates to information required to be disclosed pursuant to new Item 1.05 of Form 8-K for the covered period in which the material change, addition, or update occurred. Item 106(d) would also require companies to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents becomes material in the aggregate. Proposed Item 106(d) also includes disclosure requirements of the companies cybersecurity risks, threats, risk management, strategy and governance related thereto.

Finally, proposed Item 407(j) of Regulation S-K would require companies to annually disclose cybersecurity expertise of directors of the company, if any. Cybersecurity expertise would remain undefined but the proposed rule would introduce criteria relevant for the determination, such as whether the director has work experience in cybersecurity, whether they director obtained a certificate or degree in cybersecurity, and whether the director has knowledge, skills or other background in cybersecurity. Any identified cybersecurity experts would have the safe harbor used for ‘audit committee financial experts’ for purposes of Section 11 liability.

The proposal passed on party lines and the comment period ends on the later of 30 days after publication in the Federal Register or May 9, 2022.

Should you have any questions or need assistance, please contact us.

James C. Kennedy

F. Mark Reuter

Allison A. Westfall

Christopher S. Brinkman

Michael W. Goldman

KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.


© 2024 Keating Muething & Klekamp PLL. All Rights Reserved

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Functional cookies collect information about your choices and preferences, and collect information about your use of the Sites and Services which enable us to improve functionality.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.