On March 9, 2022, the Securities and Exchange Commission (SEC) published a proposed rule, File No. S7-09-22, that would significantly impact public companies’ cybersecurity reporting obligations. Among other things, the proposed rule would require:
- Reporting through Form 8-K within four business days of the company's determination that it has experienced a “material cybersecurity incident.”
- Standardized and periodic disclosures on Form 10-K or, where applicable, Form 10-Q, of, among other things:
- Cybersecurity policies and procedures
- Management's role in implementing those policies and procedures
- Board of directors' cybersecurity expertise, if any
- Updates regarding previously reported material cybersecurity incidents
- Previously undisclosed immaterial cybersecurity incidents if they become material in the aggregate.
The SEC has stated its belief that the proposed four-day reporting requirement, in a standardized format on Form 8-K, would “significantly improve the timeliness of cybersecurity incident disclosures, as well as provide investors with more standardized and comparable disclosures.” Proposed Rule, at 22.