On March 9, the SEC proposed amendments to enhance and standardize disclosures related to cybersecurity. Key provisions of the proposal, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, include the following.

A registrant would be required to report a cybersecurity incident on Form 8-K within 4 business days of when it is determined to be material. The determination of whether an incident is material would be based on the definition of materiality used in the securities laws.

Disclosures would include:

Registrants would also need to disclose in their Form 10-Ks and 10-Qs any material changes, additions, or updates to information that was previously disclosed in the Form 8-K in which the initial incident was reported. In addition, a series of previously unreported individually immaterial incidents would need to be disclosed in Forms 10-K and 10-Q when they become material in the aggregate.

Proposed Item 106 in Regulation S-K would require registrants to provide more consistent and informative disclosure on their cybersecurity risk management and strategy. Disclosures would include management’s role and relevant expertise in assessing and managing cybersecurity risks and implementing related policies, procedures, and strategies. The proposal also calls for expanded disclosures of policies and procedures, if any, for identifying and managing cybersecurity risks and information about a registrant’s cybersecurity governance.

Disclosures of management’s role and expertise would include:

Disclosures of policies and procedures would include a description of the registrant’s cybersecurity risk assessment program, if any, contingency or recovery plans, and use of third parties. In addition, a registrant would be required to disclose whether and how it considers cybersecurity risks as part of its business strategy, financial planning, and capital allocation, as well as to explain how previous cybersecurity incidents have informed changes in its governance structure.

Lastly, a registrant should indicate whether cybersecurity risk and incidents have affected or are reasonably likely to affect its results of operations or financial condition and if so, how.

Registrants would be required to disclose details of the board of directors’ oversight of cybersecurity risk and cybersecurity expertise, if any. Disclosures related to board oversight would include:

Registrants would also be required to disclose whether any director has cybersecurity expertise, and if so, the director’s name and the nature of that expertise. While the proposal does not define “cybersecurity expertise,” it includes criteria that should be considered in this determination, including whether a director has prior work experience in or knowledge of cybersecurity or a certification or degree in cybersecurity.

On March 15, the Strengthening American Cybersecurity Act (the Act) was signed into law. Provisions of this Act will require critical infrastructure owners and operators to report “substantial” cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. The Act also grants the CISA director broad authority to develop rules within 24 months. See our Cyber breach reporting to be required by law for better cyber defense for more details.

The SEC proposed a rule in February that would require registered investment advisers, registered investment companies, and business development companies to adopt and implement written cybersecurity policies and procedures to address cybersecurity risks. The proposal also would require advisers to confidentially report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the SEC.

Current SEC interpretive guidance on cybersecurity disclosure is included in 2011 and 2018 disclosure guidance. Current guidance may require disclosure of cybersecurity risks, policies and procedures, and material incidents in Risk Factors, Business Description, MD&A, Legal Proceedings, Disclosure Controls & Procedures, or the financial statements, but there are no prescriptive requirements as to the level of detail.

The March 9 proposal applies to all public companies, including foreign private issuers (FPIs). Although disclosure requirements currently vary for domestic and foreign registrants, the proposal would amend the requirements for FPIs to provide consistent cybersecurity disclosures for all registrants.

According to the SEC’s release, the amendments are designed to provide investors with better information about a registrant's cybersecurity risk management, strategy, governance, and exposure to cybersecurity incidents.

If the rules are finalized as currently proposed, several of the provisions will be subject to interpretation and judgment, including how to apply the definition of a cyber incident and how to determine which incidents are material.

Comments are due the later of 30 days after it is published in the Federal Register or May 9. The SEC will consider the feedback received and issue a final rule, likely before the end of the year. In the interim, companies should consider whether their processes, controls, governance structure, or disclosures would need to be enhanced to comply with the proposal if it were finalized as currently drafted.

We will release a podcast later in March that summarizes the proposal. Look for it at viewpoint.pwc.com or wherever you get your podcasts.