X

SEC Adopts Final Cybersecurity Disclosure Requirements for Public Issuers

"[T]he Commission rejects financial materiality as the touchstone for its disclosures, and fails to offer in its place a meaningful intelligible limit to its disclosure authority."
SEC Commissioner M. Peirce
"[T]he Commission rejects financial materiality as the touchstone for its disclosures, and fails to offer in its place a meaningful intelligible limit to its disclosure authority."
SEC Commissioner M. Peirce

The SEC adopted final disclosure requirements on cybersecurity risk management, governance, strategy, and incident reporting by public companies.

As previously covered, the proposed requirements are meant to (i) inform investors as to an issuer's risk management strategy and governance and (ii) provide prompt notification to investors of material cybersecurity incidents, as well as periodic updates on such incidents.

According to the SEC, several "important changes" were made to the final amendments, and they will now require market participants to:

  • describe their cybersecurity-related risk assessment and management practices and how any cybersecurity threats have materially impacted their "business strategy, results of operations, or financial condition";
  • describe governance practices, including (i) board oversight of risks from cybersecurity threats and (ii) management’s role in addressing cybersecurity threats; and
  • report material cybersecurity incidents on Form 8-K within four business days of determining that a company has experienced a material cybersecurity incident, except for instances where the U.S. Attorney General finds that immediate disclosure of an incident is a risk to national security or public safety, in which case filing may be delayed.

The final amendments also require foreign private issuers to (i) provide descriptions on Form 20-F of their oversight and risk management practices for addressing cybersecurity threats and (ii) disclose on Form 6-K material cybersecurity incidents that they would otherwise publicize in a foreign jurisdiction.

The SEC is also requiring the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language.

The amendments will become effective 30 days following publication in the Federal Register.

Statements

The following statements on the final amendments were provided by:

  • SEC Chair Gary Gensler. Mr. Gensler said the final amendments will make investor disclosures "more consistent, comparable, and decision-useful." He added that the final rules, as amended after public comment, will "streamline required disclosures for both periodic and incident reporting."
  • SEC Commissioner Jaime Lizárraga. Mr. Lizárraga emphasized that despite the recent growing number of companies that are prioritizing cyber risk management, there are currently "zero disclosure requirements that explicitly refer to cybersecurity risks, governance or incident report." He said the final amendments will "reduce market mispricing and information asymmetries" while deterring companies from "cherry-pick[ing] disclosures of their cybersecurity risk management processes."
  • SEC Commissioner Caroline A. Crenshaw. Ms. Crenshaw said that the final amendments are "an important reminder of how [the SEC's] continuous reporting framework incorporates emerging risks." She encouraged the SEC to continue to consider whether additional disclosures are necessary, such as whether a firm's board has cyber-related experts.
  • SEC Commissioner Hester M. Peirce. Ms. Peirce dissented, stating that while "better than the proposal," the final amendments continue to "ignore both the limits of the SEC’s disclosure authority and the best interests of investors." She argued that additional regulations are not necessary; when a market participant fails to satisfy its disclosure requirements regarding cyber risks, the SEC has the ability to pursue enforcement action. Ms. Peirce added that the proposal reads like a "test run for future overly prescriptive, overly costly disclosure rules covering a never-ending list of hot topics."

Primary Sources

  1. SEC Press Release: SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
  2. SEC Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
  3. SEC Fact Sheet: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
  4. SEC Statement, Gary Gensler: Statement Statement on Public Company Cybersecurity Disclosures
  5. SEC Statement, Jaime Lizárraga: Improving the Quality of Cybersecurity Risk Management Disclosures
  6. SEC Statement, Caroline A. Crenshaw: Statement on Cybersecurity Adopting Release
  7. SEC Statement, Hester M. Peirce: Harming Investors and Helping Hackers - Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Related Articles

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Individuals
Caroline Crenshaw , Gary Gensler , Hester Peirce , Jaime Lizárraga
Regulated Activities
Data Protection / Cybersecurity Disclosures Governance
Sub-Activity
Cybersecurity
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC