SEC Proposes Amendments That Would Place New Cybersecurity Reporting And Disclosure Requirements On Public Companies - Security

On March 9, 2022, the US Securities and Exchange Commission (SEC) voted 3-1 to propose new rules and amendments under the Securities Exchange Act of 1934 that would constitute the SEC's first attempt to adopt specific rules to comprehensively regulate cybersecurity risk management, strategy, governance and incident reporting for public companies ("registrants"). The stated goals of the proposal are to protect investors and optimize their decision-making abilities, raise cross-industry understanding of cyber threats and related incidents and promote timely reporting of cyber incidents. Below, we provide a preliminary overview of the proposed rules and amendments.

Yesterday's proposal follows the SEC's detailed cybersecurity rulemaking for registered investment advisers and business development companies, which was announced on February 9, 2022, and published in the Federal Register on March 9, 2022.¹ That proposal, if adopted, would require implementation of cybersecurity risk management policies and procedures, reporting requirements and disclosure requirements.²

Further in-depth analysis of both proposed rules will be forthcoming.

The Proposal

The proposed rules and amendments announced yesterday would impose several new requirements on registrants to disclose information concerning cybersecurity incidents and risks. The most prominent of these include requirements regarding the disclosure of material cybersecurity incidents, as well as obligations to disclose certain information regarding cybersecurity governance, policies and procedures.

Specifically, the proposed rules seek to:

Require registrants to disclose information about a material cybersecurity incident on Form 8-K within four business days after the registrant determines it has experienced an incident.
Require registrants to provide updated disclosures relating to previously disclosed cybersecurity incidents. This will also require disclosure of when "previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate."³
Require registrants to disclose information regarding cybersecurity governance, including the board of directors' oversight role regarding cybersecurity risks and management's role and relevant expertise in assessing and managing cybersecurity risks and implementing associated policies, procedures and strategies.
Require registrants to disclose "the cybersecurity expertise of members of the board of directors."⁴
Require similar cybersecurity incident and risk management disclosures from foreign private issuers.

Yesterday's proposal does not directly affect entities beyond public companies, such as broker-dealers. That said, Commissioner Gary Gensler stated at the March 9, 2022, open meeting that he has requested proposals for regulations that would specifically apply to broker-dealers as well. This suggests that there could be more SEC cybersecurity regulations on the table in the near future.

The comment period for this proposal is open to the public until the later of May 9, 2022, or 30 days after publication in the Federal Register.

Footnotes

1. https://www.federalregister.gov/documents/2022/03/09/2022-03145/cybersecurity-risk-management-for-investment-advisers-registered-investment-companies-and-business

2. https://www.mayerbrown.com/en/perspectives-events/publications/2022/02/sec-proposals-would-significantly-impact-private-fund-advisers-and-impose-new-cybersecurity-requirements-on-registered-advisers-and-funds-including-bdcs

3. https://www.sec.gov/files/33-11038-fact-sheet.pdf

4. Id.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.