Skip to content

menu

Open Legal Blog Archive logo
HomeAboutBlogsFAQsSubmit

SEC Proposes New Disclosure Rules for Cyber Incidents

By Philip N. Yannella & Timothy Dickens on March 11, 2022

On March 9, 2022, the SEC proposed a new rule to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance. If approved, public companies subject to the reporting requirements of the Securities and Exchange Act of 1934 will be subject to new disclosure requirements regarding (1) Cybersecurity Incidents, and (2) Cybersecurity Risk Management, Strategy, and Governance.Beginning with the incident disclosure requirements, the proposed rule amends Form 8-K to require disclosure of material cybersecurity incidents within four (4) days of identifying that a material event has occurred. The proposed rule also adds new items to Regulation S-K and Form 20-F that require public companies to provide updated disclosures relating to previously disclosed cybersecurity incidents. Further, these additions will require disclosure when a series of previously undisclosed and individually immaterial incidents become material in the aggregate. Finally, the proposed rule amends Form 6-K to add cybersecurity incidents as a reporting topic.

The proposed rule would also create a swath of new reporting requirements regarding cybersecurity risk management, strategy, and governance. Specifically, the amendments to Regulation S-K and Form 20-F would require a registrant to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats. This includes disclosure of whether the company considers cybersecurity as part of its business strategy, financial planning, and capital allocation, and how management implements cybersecurity policies, procedures, and strategies.

Additionally, the proposed rule would obligate covered companies to provide specific disclosures addressing board involvement and knowledge of cybersecurity issues and planning. Specifically, companies would be obligated to disclose information about the board’s oversight of cybersecurity risk. The proposed rule would also amend Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. This would include disclosures in annual reports and certain proxy filings if any member of the board has expertise in cybersecurity, their name(s), and any details necessary to describe the nature of the relevant expertise.

The proposed rule is open to public comment until at least May 8, 2022, and may be revised prior to final approval.

While many companies already provide cybersecurity related disclosures, the proposed rule provides enhanced clarity and standardization of what information is important to businesses and investors alike. Given the SEC’s recent focus on cybersecurity, we expect to see more related developments in the near future.

  • Posted in:
    Privacy & Data Security, Technology and IT
  • Blog:
    CyberAdviser
  • Organization:
    Ballard Spahr LLP
  • Article: View Original Source

Open Legal Blog Archive, Inc. logo
Seattle, Washington
Copyright © 2026, Open Legal Blog Archive, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo