[Reported in today's Society Alert]
As anticipated based on the SEC’s regulatory agenda and prior remarks made by SEC Chair Gary Gensler and staff (see, e.g., “SEC Cybersecurity”), at an open meeting today, the SEC proposed rules and amendments regarding cybersecurity risk management, governance, and incident disclosure.
Based on the Fact Sheet, and the proposing release, the rule would require:
I. Form 8-K reporting (filed, not furnished) of material cybersecurity incidents within four business days after the company determines it has experienced such an incident. The proposed trigger is the date of the company’s materiality determination rather than the date of the incident; however, the instruction to Form 8-K will require companies to make a materiality determination as soon as reasonably practicable after discovery, and the definition of “cybersecurity incident” includes incidents affecting information resources that are used but not owned by the company (i.e., information systems owned by third parties). See pages 22 – 23 of the proposing release and the definitions on page 41 of the release.
II. Periodic disclosures regarding, among other things:
- Company policies and procedures to identify and manage cybersecurity risks, including whether the company considers cybersecurity as part of its business strategy, financial planning, and capital allocation (see pages 37 - 38 of the proposing release)
- Management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures (see page 40 of proposing release)
- Board cybersecurity risk oversight (see page 39 of the proposing release)
- Board member cybersecurity expertise (if any), including director name(s) and information that describes the nature of the expertise (see pages 44 - 45 of the proposing release)
- Updated disclosure about previously disclosed material cybersecurity incidents (see page 32 of the proposing release)
- Disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate, to the extent known to management (see page 33 of the proposing release)
III. Disclosures presented in Inline XBRL
The comment letter deadline is the later of 60 days following publication of the proposing release on the SEC’s website (today) or 30 days following publication of the proposing release in the Federal Register. The Society plans to comment. Society members interested in assisting with the comment letter should contact Kate Kelly at krkelly@fb.com or Ted Allen at tallen@societycorpgov.org.
See the SEC’s press release; these statements from SEC Chair Gary Gensler and Commissioners Crenshaw and Peirce (dissenting); and additional resources on our Cybersecurity/Data Privacy page.