SEC proposes improved uniformity and comparability of cybersecurity disclosures

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed a rule that will heighten the disclosure requirements for public companies, impacting their extent of communication related to both cybersecurity risk assessment and instances of material breaches. This proposed rule is intended to aid investors in performing consistent and uniform comparison of a company’s consideration of and response to cybersecurity risks. 

This proposed rule builds upon the disclosure guidance issued in 2011 and interpretive guidance issued in 2018. It was also proposed just days before the Strengthening American Cybersecurity Act was passed into law on March 15, 2022, which establishes specific reporting requirements to the Cybersecurity and Infrastructure Security Agency (CISA) for critical infrastructure companies. 

The SEC has requested comments on 51 different topics throughout the proposed rule; comments are due May 9, 2022.

What you need to know

Prior communications and guidance from the SEC already established an expectation that companies disclose various cybersecurity considerations, including risk factors and the existence of material incidents. Further interpretive guidance has been provided to aid companies in determining whether or not an incident should be considered material. However, none of the previously provided guidance has been specific as to the nature of the disclosure, required content or timeliness. The proposed rule intends to provide more prescriptive requirements, aimed at improving “uniformity and comparability” for the benefit of investors.

Proposed changes include: 

• Disclosure of details around a registered public company (“registrant”) cybersecurity risk management, strategy and governance programs, including the level of cybersecurity expertise resident within members of its board of directors and the nature of cybersecurity governance by a company’s management and board; 
• A specific Form 8-k, Item 1.05 disclosure within four business days of a registrant determining they have been subject to a material breach; 
• Standardized disclosure factors, including such items as the nature and scope of the incident, whether data was stolen, whether stolen data was misused, impact on business operations, and status of remediation activities; 
• Requirement to quantify multiple security incidents in order to determine whether a registrant was subject to a material impact in the aggregate, and 
• Ongoing disclosures providing updates to previously disclosed incidents. 

Why this is important

The SEC has identified a series of inconsistencies in the nature, extent and location of registrants’ cyber-related disclosures and investors have indicated difficulty in their ability to perform comparative analysis of cyber risk across registrants. The proposed rule looks to standardize reporting requirements to aid investors in a more timely and uniform assessment of cyber risk in their investment decisions. Companies, and CISOs specifically, should critically assess their current cyber practices as they pertain to the enhanced timeliness of disclosure, and the nature and extent of management’s cybersecurity programs and governance activities as it relates to proposed disclosure requirements.

Companies who are already providing robust cyber disclosures are well positioned to adhere to the proposed rule with minimal impact. According to the SEC, companies with thorough cyber disclosures may find a reduced cost of capital and improve their access to capital markets. However, companies whose current disclosures are not sufficiently robust, or whose cyber programs and governance need enhancement may face the need to implement significant change in relatively short order. In failing to provide a robust cyber disclosure, they run the risk of presenting a less than adequate cyber program to the public. 

Steps to take now

In consideration of the impact this proposed rule may have on your organization, CISOs, management and the board of directors should consider asking themselves questions such as: 

• Has the company performed a thorough review of the proposed rule and identified gaps in our ability to adequately respond with compliant disclosure? 
• What changes and/or enhancements to our disclosure process and controls would be required to comply with these new proposed rule changes?  
• Does the company’s disclosure committee have sufficient cybersecurity representation? 
• Do the company’s incident response plans provide enough direction on measuring the materiality of a breach, or its impact on business operations? 
• Does the company have sufficient cybersecurity expertise within management and/or the board of directors? 
• What changes will our company need to consider making to our cyber risk assessment program or governance activities? 
• Does the company plan to provide comments to the SEC prior to May 9, 2022? 

For more information on this topic, or to learn how Baker Tilly cybersecurity specialists can help you assess your current practices or build a comprehensive cybersecurity management program, visit our resource page or contact our team.