On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed a rule that will heighten the disclosure requirements for public companies, impacting their extent of communication related to both cybersecurity risk assessment and instances of material breaches. This proposed rule is intended to aid investors in performing consistent and uniform comparison of a company’s consideration of and response to cybersecurity risks.
This proposed rule builds upon the disclosure guidance issued in 2011 and interpretive guidance issued in 2018. It was also proposed just days before the Strengthening American Cybersecurity Act was passed into law on March 15, 2022, which establishes specific reporting requirements to the Cybersecurity and Infrastructure Security Agency (CISA) for critical infrastructure companies.
The SEC has requested comments on 51 different topics throughout the proposed rule; comments are due May 9, 2022.
Prior communications and guidance from the SEC already established an expectation that companies disclose various cybersecurity considerations, including risk factors and the existence of material incidents. Further interpretive guidance has been provided to aid companies in determining whether or not an incident should be considered material. However, none of the previously provided guidance has been specific as to the nature of the disclosure, required content or timeliness. The proposed rule intends to provide more prescriptive requirements, aimed at improving “uniformity and comparability” for the benefit of investors.
Proposed changes include:
The SEC has identified a series of inconsistencies in the nature, extent and location of registrants’ cyber-related disclosures and investors have indicated difficulty in their ability to perform comparative analysis of cyber risk across registrants. The proposed rule looks to standardize reporting requirements to aid investors in a more timely and uniform assessment of cyber risk in their investment decisions. Companies, and CISOs specifically, should critically assess their current cyber practices as they pertain to the enhanced timeliness of disclosure, and the nature and extent of management’s cybersecurity programs and governance activities as it relates to proposed disclosure requirements.
Companies who are already providing robust cyber disclosures are well positioned to adhere to the proposed rule with minimal impact. According to the SEC, companies with thorough cyber disclosures may find a reduced cost of capital and improve their access to capital markets. However, companies whose current disclosures are not sufficiently robust, or whose cyber programs and governance need enhancement may face the need to implement significant change in relatively short order. In failing to provide a robust cyber disclosure, they run the risk of presenting a less than adequate cyber program to the public.
In consideration of the impact this proposed rule may have on your organization, CISOs, management and the board of directors should consider asking themselves questions such as:
For more information on this topic, or to learn how Baker Tilly cybersecurity specialists can help you assess your current practices or build a comprehensive cybersecurity management program, visit our resource page or contact our team.