Public companies will be required to disclose current “material” cybersecurity events, according to newly proposed, tightened reporting rules by the Securities and Exchange Commission (SEC).
Registrants will be required to report an incident in an 8-K document within four business days and also adhere to additional provisions that extend to risk management, strategy and governance to better inform investors, the SEC said.
That four-day reporting window could keep MSSPs and MSPs on their toes. In some cases, the service providers themselves could be publicly held. In other cases, publicly held customers may call on their MSSPs and MSPs to help rapidly document an incident.
The proposed amendments would also require quarterly reporting of the following:
- Provide updates about previously reported cybersecurity incidents.
- The registrant’s policies and procedures to identify and manage cybersecurity risks.
- The board of directors' oversight of cybersecurity risk.
- Management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
- Annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.
Related: More details on the proposed SEC rules from SC Media, our sister site.
The proposed rules will be put out for a public comment period, which will be either 30 days from when it is published on SEC.gov and in the Federal Register, or 60 days after it is issued, whichever period is longer.
The proposal’s timing is particularly relevant given the heightened threat of cybersecurity attacks linked to the war in the Ukraine. Managed security service providers (MSSPs) that work with public companies will need to pay particular attention to the amended event reporting requirements to best advise their clients.
In supporting the proposal, SEC Chair Gary Gensler said investors want to know more about how issuers are managing cybersecurity risks. "Today, cybersecurity is an emerging risk with which public issuers increasingly must contend,” he said. “A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”
The proposed measures are part of the SEC’s wider effort to extend cybersecurity reporting policies. Last month, the agency voted to propose rules related to cybersecurity risk management for registered investment advisors and registered funds. The provisions would require advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors. In addition, advisors and funds would be required to report significant cybersecurity events that occurred in the last two fiscal years in their brochures and registration statements. Those policies are still out for public comment.