Cybersecurity

Flash Report – SEC Cybersecurity Disclosure Enhancements: They’re Coming, in One Form or Another

Technology Insights
June 3, 2022
3 min read

Three months ago, the U.S. Securities and Exchange Commission (SEC) proposed amendments to its rules on cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. The SEC’s view is that cybersecurity threats and incidents pose an ongoing threat to public companies, investors and market participants, as evidenced by the growing number and greater frequency of occurrences of cyber attacks being launched by cyber criminals who are using increasingly sophisticated methods.

The comment period on the proposal ended on May 9. Some 139 comment letters from companies, law firms, associations and other stakeholders were received. This Flash Report provides a synopsis of the comments received and offers a perspective on what companies should be doing as they prepare for the inevitable release of the SEC’s updated requirements.

The SEC proposal: An overview

The proposed amendments would require, among other things:

  • Reporting of a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident. (Note: For purposes of the proposed cybersecurity incidents disclosure, “materiality” would be evaluated consistent with precedents set forth in judicial decisions, e.g., information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the total mix of information available.”
  • Reporting of material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, including any material impact on the issuer’s current and future operations and financial condition, whether the registrant has remediated or is currently remediating the incident, and any changes in the registrant’s policies and procedures as a result of the incident.
  • Reporting of cybersecurity incidents that have become material in the aggregate.
  • Disclosure of the company’s policies and procedures to identify and manage cybersecurity risks; the extent to which it engages third parties in its cyber risk assessment program; policies and procedures to oversee and identify cybersecurity risks associated with its use of third-party service providers; the business continuity, contingency and recovery plans in place; and how cybersecurity risks are considered as part of the registrant’s business strategy, financial planning and capital allocation.
  • Disclosure of the issuer’s board of directors’ oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
  • Annual reporting or certain proxy disclosures about whether any member of the board of directors possesses cybersecurity expertise.

The intent of these proposed amendments is to inform investors better about a registrant’s risk management, strategy and governance and to provide timely notification of material cybersecurity incidents. The amendments also apply to foreign private issuers and add “cybersecurity incidents” as a reporting topic.

Read the full flash report here.

Technology Insights

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
3h

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More