chevron-down Created with Sketch Beta.


The SEC Has Proposed a New Cyber Disclosures Rule for Public Companies

John Ernest Clabby, Joseph W Swanson, and Patricia Marie Carreiro

The SEC Has Proposed a New Cyber Disclosures Rule for Public Companies
kynny via Getty Images

On March 9, 2022, the Securities and Exchange Commission (SEC) published a proposed rule, File No. S7-09-22, that would significantly impact public companies’ cybersecurity reporting obligations. Among other things, the proposed rule would require:

  • Reporting through Form 8-K within four business days of the company's determination that it has experienced a “material cybersecurity incident.”
  • Standardized and periodic disclosures on Form 10-K or, where applicable, Form 10-Q, of, among other things:
    • Cybersecurity policies and procedures
    • Management's role in implementing those policies and procedures
    • Board of directors' cybersecurity expertise, if any
    • Updates regarding previously reported material cybersecurity incidents
    • Previously undisclosed immaterial cybersecurity incidents if they become material in the aggregate.

The SEC has stated its belief that the proposed four-day reporting requirement, in a standardized format on Form 8-K, would “significantly improve the timeliness of cybersecurity incident disclosures, as well as provide investors with more standardized and comparable disclosures.” Proposed Rule, at 22.

The proposed rule would be a major change for companies when viewed against the existing, background legal regime for cyber incident disclosures. The SEC is effectively preempting what most states’ laws currently require of companies, largely displacing that regime with the SEC’s own view of the proper timing and content of a cyber incident disclosure. State data-incident notification laws typically provide for notification only to the individuals whose personal information may be impacted by the security event—rather than to the company’s shareholders. Although there is material variation between states, state notification laws generally provide for notification within 30 to 60 days (or “without unreasonable delay”) of determination of unauthorized access to personal information, rather than the SEC’s proposed four days from the determination that the event is material.

This proposed rule is the culmination of more than a decade of guidance and comment from the SEC and SEC staff on cybersecurity disclosures for public companies. In 2011, for example, the Division of Corporation Finance issued its staff guidance concerning companies’ disclosure obligations related to cybersecurity risks and incidents. In 2018, the SEC issued interpretive guidance, providing some rails to guide companies in deciding when and how to disclose information about cybersecurity risks and security incidents under the existing disclosure rules. The proposed rule, while building on this guidance, sets an entirely new regime.

This proposed disclosure regime, if it were to be put in place, could lead to a significant increase in the risk of putative shareholder class actions after disclosure of a cyber incident, particularly if the company’s stock price were to move shortly after the disclosure of a material cybersecurity incident. The shareholder might allege, for example, that earlier disclosures of the company’s cybersecurity policies or its cyber risks were not accurate in light of the later “corrective” disclosure of an actual incident.

The SEC is receiving comments through early May 2022.