On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed updates to its disclosure rules intended to “enhance and standardize” public company disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting (the “Proposed Rules”). The Proposed Rules may require issuers to update their disclosure controls and procedures, in particular with respect to determining the materiality of cybersecurity events and providing prompt disclosure.
The Proposed Rules build on a body of pre-existing SEC guidance regarding cybersecurity disclosures. In 2011, the Division of Corporation Finance issued interpretive guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The SEC followed up that guidance with a 2018 statement on cybersecurity disclosure addressing, among other things, the materiality of incidents, updates to risk factors, and board risk oversight. If adopted, the proposed rules make many of these recommendations express requirements, while adding additional clarity and detail regarding cybersecurity risks and practices that must be reported. While the proposed rules are focused on disclosure, if adopted, they may lead issuers to enhance cybersecurity risk management and oversight, as well as to add directors with expertise in cybersecurity.
For more details, click here to read Ropes & Gray’s client alert on the Proposed Rules.