SEC proposes cybersecurity rules

Form 8-K would require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that the incident was material.

This information would include:

• When the incident was discovered and whether it is ongoing.
• A brief description of the nature and scope of the incident.
• Whether any data was stolen, altered, accessed or used for any unauthorized purpose.
• The effect of the incident on the registrant’s operations.
• Whether the registrant has remediated, or is currently remediating, the incident.

Forms 10-Q and 10-K would require disclosure of material changes, additions or updates of incidents previously disclosed in Form 8-K.

The proposal includes ‘non-exclusive’ examples of the types of disclosures that would be provided, including:

• Any material impact of the incident on the registrant’s operations and financial condition.
• Any potential material future impacts on the registrant’s operations and financial condition.
• Whether the registrant has remediated, or is currently remediating, the incident.
• Any changes in the registrant’s policies and procedures because of the cybersecurity incident, and how the incident may have informed such changes.

The proposal would also require disclosure, or updates to previous disclosures, when a series of previously undisclosed individually immaterial cybersecurity incidents have become material in the aggregate.

Risk management and strategy

Form 10-K would require registrants to provide consistent and informative disclosures regarding their policies and procedures around cybersecurity risk management and strategy, including, among other things, whether:

• The registrant has a cybersecurity risk assessment program and, if so, a description of the program.
• The registrant engages assessors, consultants, auditors or other third parties in any cybersecurity risk assessment program.
• The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider.
• The registrant undertakes activities to prevent, detect and minimize effects of cybersecurity incidents.
• Cybersecurity-related risks and incidents have affected, or are reasonably likely to affect, the registrant’s results of operations or financial condition.

Governance

The proposal would also require disclosures about the board of directors’ oversight of cybersecurity risk, board member cybersecurity expertise, and management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures and strategies.

• The proposed amendments would align incident reporting and periodic disclosures of FPIs on Forms 6-K and 20-F with those proposed for domestic registrants

• The proposal would require registrants to report and disclose cybersecurity information in Inline XBRL format.