1. Home
  2. |Insights
  3. |SEC Proposes New Cybersecurity Risk and Incident Disclosure Obligations

SEC Proposes New Cybersecurity Risk and Incident Disclosure Obligations

Client Alert | 3 min read | 03.15.22

On March 9, 2022, the Securities and Exchange Commission (SEC) issued proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (registrants) that are subject to the reporting requirements of the Securities Exchange Act of 1934.

The stated intent of the proposed amendments is to better inform investors regarding registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents. SEC’s position is that “consistent, comparable, and decision-useful disclosures” would allow investors to assess exposure to cybersecurity risks and incidents, including a registrant’s ability to manage and mitigate those risks and incidents.

As further summarized below, the requirements added by the SEC’s proposal include obligations to disclose information related to a material cybersecurity incident within four business days, as well as heightened requirements for disclosing information relating to cyber-related risk management, strategy, and governance.  Importantly, the reporting obligations contained in the SEC’s proposal underscore corporate executive leadership’s role in and responsibility for overseeing the cybersecurity of their respective companies.

The proposal is consistent with prior signaling from SEC Chair Gary Gensler that changes were coming, as he highlighted, for example, during his January 2022 remarks at Northwestern School of Law’s Annual Securities Regulation Institute.  The proposal’s direction is also consistent with the significant uptick in the SEC’s activity concerning cybersecurity-related matters following the SolarWinds supply chain attack, after which the SEC reportedly opened a probe into the attack’s effects and companies’ disclosures.

In the immediate term, the SEC’s proposal shows that this area is still evolving, but it also clearly signals that there is likely to be continuing increased SEC activity in this area.  While the evolving nature of the area may for the moment create challenges for the SEC to bring enforcement cases, it also puts public company executives on notice that they are responsible for their companies’ cyber-related actions to prepare for and in response to cyber-attacks.

The following is a summary of updates from the SEC’s proposal and Fact Sheet, which provides additional context related to the proposed cybersecurity amendments:

Reporting cybersecurity incidents on Forms 8-K

    • Requiring current reporting about material cybersecurity incidents on Form 8-K within four business days;
    • Amending Form 6-K to add “cybersecurity incidents” as a reporting topic;

Disclosure about cybersecurity incidents in periodic reports

    • A registrant’s policies and procedures to identify and manage cybersecurity risks;
    • Management’s role in implementing cybersecurity policies and procedures;
    • Updates about previously reported material cybersecurity incidents;
    • Requiring updated disclosures relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate;

Disclosure of a registrant’s risk management, strategy and governance regarding cybersecurity risks

    • Requiring registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy;
    • Requiring disclosure of whether cybersecurity related risk and previous incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition;
    • Requiring a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures, and strategies;

Disclosure regarding the board of directors’ cybersecurity expertise

    • Requiring disclosure about the cybersecurity expertise of members of the board of directors of the registrant, if any;

Periodic disclosure by foreign private issuers (FPI)

    • Requiring an FPI to include in its annual report on Form 20-F the same type of disclosure that would be required in periodic reports filed by domestic registrants:

- Item 106 of Regulation S-K. (1) provide updated disclosure in periodic reports about previously reported cybersecurity incidents; (2) describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity risks as part of its business strategy, financial planning and capital allocation; and (3) require disclosure about the board’s oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies; and

- Item 407 of Regulation S-K. Requiringdisclosure of whether any member of the registrant’s board has expertise in cybersecurity, and if so, the nature of such expertise.

The amendments also require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).

***

Crowell & Moring LLP is highly experienced at advising companies that are navigating cybersecurity and SEC compliance issues such as these.  We can provide guidance regarding this Alert and assist with privileged investigations, compliance efforts and other related activities.

Insights

Client Alert | 1 min read | 07.08.26

CAS Board Publishes Final Rule Rescinding CAS 404, 408, 409, and 4117

As part of its ongoing effort to conform the Cost Accounting Standards (“CAS”) to generally accepted accounting principles (“GAAP”), the CAS Board published a final rule rescinding CAS 408 (Accounting for costs of compensated personal absence) and CAS 411 (Accounting for acquisition costs of material).  The CAS Board also rescinded CAS 404 (Capitalization of tangible assets) and CAS 409 (Depreciation of tangible capital assets) but retained certain requirements of CAS 404 and 409, which will be located in new paragraphs of CAS 405 (Accounting for unallowable costs).  Specifically, the CAS Board retained the requirements currently located at CAS 404-50(d)(1), CAS 409-50(e)(5), CAS 409-50(j)(1), and CAS 409-50(j)(4), which the CAS Board explained are necessary to protect the Government’s interests.  Otherwise, the CAS Board determined that the requirements of CAS 404, 408, 409, and 411 overlapped with GAAP such that GAAP “may be applied reasonably as a substitute for CAS to support contract cost and pricing.”...