The Securities and Exchange Commission has proposed rule changes it said are intended to improve and standardize reporting of cybersecurity risk management, strategy, governance, and incident disclosure by public companies.
The regulator said the proposed amendments aim to better inform investors about a public company’s risk management, strategy and governance, and to provide timely notification of material cybersecurity breaches. It said that “consistent, comparable, and decision-useful disclosures” would allow investors to evaluate a company’s exposure to cybersecurity risks and incidents, as well as their ability to manage and mitigate the risks and breaches.
“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend,” SEC Chair Gary Gensler said in a statement. “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.” Gensler added that if adopted, the proposal “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
In 2011, the SEC released guidance concerning existing disclosure obligations relating to cybersecurity risks and incidents; and in 2018, the regulator issued interpretive guidance to reinforce and expand upon the 2011 guidance. However, it said the new amendments were needed because cybersecurity risk and incident disclosure practices are still inconsistent, despite having improved in recent years.
The proposal includes an 8-K filing requirement for any material cyber-intrusion, as well as regular reporting on previously disclosed incidents. It would also amend Form 6-K to add “cybersecurity incidents” as a reporting topic. The changes also include adding a new item to Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents, and to require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents has become material.
The proposed changes would also require public companies to regularly report about their policies and procedures to identify and manage cybersecurity risks; how their boards oversee cybersecurity risk, and their managements’ role and expertise in assessing and managing cybersecurity risk and implementing relevant policies and procedures. Additionally, the proposal would require annual reporting or certain proxy disclosure about boards of directors’ cybersecurity expertise, if any.