On March 9, 2022, the United States Securities and Exchange Commission (SEC) announced proposed rules that will mandate public companies to comply with a series of disclosure requirements relating to their response to cybersecurity incidents and management of cyber risks.
The proposed rules would require regulated companies to disclose information about a cybersecurity incident within four business days of determining that it was a material incident. The SEC advises that a company’s materiality analysis should not be a mechanical exercise or solely based on a quantitative analysis of the incident. Instead, companies should take on the perspective of a reasonable investor and “thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material.”
If a situation is determined to be material, the proposed rules would require companies to disclose the following information to the extent known:
Furthermore, the proposed rules will implement ongoing disclosure requirements for regulated companies. This includes the requirement to provide updates in future reports filed with the SEC that detail any material facts uncovered after submission of the initial cybersecurity incident disclosure. Companies would also be required to disclose “when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.”
In addition to reporting on cyber incidents, the SEC’s proposed rules will require companies to make periodic disclosures about their internal policies, including:
The SEC’s is accepting comments on its proposed rules until May 9, 2022. These comments can be submitted by email to rule-comment@sec.gov or through the following internet comment form: https://www.sec.gov/rules/submitcomments.htm. Public comments may also be mailed to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090. All submissions should refer to the File Number S7-09-22, which includes adding this number to the subject line of emails.
Summary By: Imtiaz Karamat
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.