On March 9, 2022, the Securities and Exchange Commission (SEC) proposed rules intended to enhance and standardize public company disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting. [1] The proposed rules accomplish these objectives through specific, mandated disclosure requirements applicable to all companies in a manner designed to enhance comparability across issuers and industries. If adopted, the proposed rules would supplement existing SEC guidance on cybersecurity disclosure requirements for public companies. [2] Comments on the proposed rules are due by the later of May 9, 2022 and the date 30 days after publication of the proposed rules in the Federal Register.

Disclosure Concerning Cybersecurity Incidents

Form 8-K Disclosure of Material Cybersecurity Incidents

In its proposing release, the SEC stated that cybersecurity incident disclosure was inconsistent notwithstanding the SEC’s existing guidance. In particular, the SEC noted that some incidents were reported in the media but were not disclosed by the affected companies in their periodic filings and that the nature of disclosures, when made, varied widely. [3]