The SEC proposes to amend Regulation S-K and Exchange Act forms to require companies to report cybersecurity incidents on Form 8-K within four business days after the company determines the incident is material. Companies would also be required to provide updated disclosures on Forms 10-Q and 10-K about previously disclosed incidents, as well as to disclose in their periodic reports any series of previously undisclosed individually immaterial incidents that has become material in the aggregate.
The proposed requirements would extend beyond incident reporting to include information intended to enable investors to evaluate companies’ ability to manage and mitigate their cybersecurity risk and exposure. Companies would be required to describe in their Form 10-K reports their policies and procedures for identifying and managing cybersecurity risk, including whether they consider cybersecurity risk as part of their business strategy, financial planning, and capital allocation.
The annual reporting requirements would also encompass disclosure about the board’s oversight of cybersecurity risk, management’s cybersecurity expertise, management’s role in assessing and managing cybersecurity risk, and its role in implementing the company’s cybersecurity policies, procedures, and strategies. In addition, companies would be obligated to disclose on Form 10-K and in their annual proxy statements whether any board member has cybersecurity expertise and, if so, to describe the nature of that expertise.
The SEC’s release describing the proposed amendments (Release No. 33-11038) can be viewed here. The comment period on the proposal will be open until May 9.
Authored by Alan Dye (co-editor), Richard Parrino (co-editor), John Beckman, Kevin Greenslade, William Intner, Paul Otto, Harriet Pearson, and Nicholas Hoover.