The proposed rules would increase the prominence of required disclosure of cybersecurity incidents in several corporate filings, including annual and quarterly filings and current reports. The proposal would also require disclosure of a registrant’s policies and procedures to identify and manage cybersecurity risks; management’s role in implementing cybersecurity policies, procedures and strategies; as well as the board of directors’ oversight and expertise.
Material cybersecurity incidents to be reported on Form 8-K
Form 8-K would require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that the incident was material.
This information would include:
Additional cybersecurity incident disclosure in periodic report
Forms 10-Q and 10-K would require disclosure of material changes, additions or updates of incidents previously disclosed in Form 8-K.
The proposal includes ‘non-exclusive’ examples of the types of disclosures that would be provided, including:
The proposal would also require disclosure, or updates to previous disclosures, when a series of previously undisclosed individually immaterial cybersecurity incidents have become material in the aggregate.
Cybersecurity risk management, strategy and governance disclosures
Risk management and strategy
Form 10-K would require registrants to provide consistent and informative disclosures regarding their policies and procedures around cybersecurity risk management and strategy, including, among other things, whether:
The proposal would also require disclosures about the board of directors’ oversight of cybersecurity risk, board member cybersecurity expertise, and management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures and strategies.
Foreign Private Issuers (FPIs)
Structured data requirements