Professional Documents
Culture Documents
May 9, 2022
Prepared by Rod Hackman
OVERVIEW: SEC Quote: “The Securities and Exchange Commission (“Commission”) is proposing rules
to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and
cybersecurity incident reporting by public companies that are subject to the reporting requirements of the
Securities Exchange Act of 1934. Specifically, we are proposing amendments to require current reporting
about material cybersecurity incidents. We are also proposing to require periodic disclosures about a
registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in
implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if
any, and its oversight of cybersecurity risk. Additionally, the proposed rules would require registrants to
provide updates about previously reported cybersecurity incidents in their periodic reports.”
Summary of Proposals
4. Policies & Procedures: Disclose registrant’s policies and procedures, if any, for identifying and
managing cybersecurity risks.
a. Require registrants to provide more consistent information disclosure regarding their
cybersecurity risk management and strategy.
b. Disclosure of relevant policies and procedures, to the extent a registrant has established any,
to identify and manage cybersecurity risks and threats including operational risk; intellectual
property theft; fraud; extortion; harm to employees or customers; violation of privacy laws
and other litigation and legal risk; and reputational risk. Specifically, whether:
i. The registrant has a cybersecurity risk assessment program and if so, provide a
description of such program.
ii. The registrant engages assessors, consultants, auditors, or other third parties in
connection with any cybersecurity risk assessment program.
iii. The registrant has policies and procedures to oversee and identify the
cybersecurity risks associated with its use of any third-party service provider
(including, but not limited to, those providers that have access to the
registrant’s customer and employee data), including whether and how
cybersecurity considerations affect the selection and oversight of these
providers and contractual and other mechanisms the company uses to mitigate
cybersecurity risks related to these providers.
iv. The registrant undertakes activities to prevent, detect, and minimize effects of
cybersecurity incidents.
v. The registrant has business continuity, contingency, and recovery plans in the
event of a cybersecurity incident.
vi. Previous cybersecurity incidents have informed changes in the registrant’s
governance, policies and procedures, or technologies.
vii. Cybersecurity related risk and incidents have affected or are reasonably likely
to affect the registrant’s results of operations or financial condition and if so,
how; and
viii. Cybersecurity risks are considered as part of the registrant’s business strategy,
financial planning, and capital allocation and if so, how.
5. Governance: Disclosure regarding board oversight of a registrant’s cybersecurity risk and the
inclusion or exclusion of management from the oversight of cybersecurity risks and the
implementation of related policies, procedures, and strategies impacts an investor’s ability to
understand how a registrant prepares for, prevents, or responds to cybersecurity incidents.
Disclosure of a registrant’s cybersecurity governance, including the board’s oversight of
cybersecurity risk and a description of management’s role in assessing and managing cybersecurity
risks, the relevant expertise of such management, and its role in implementing the registrant’s
cybersecurity policies, procedures, and strategies. Specifically, where it pertains to board oversight:
a. Whether the entire board, specific board members or a board committee is responsible for
the oversight of cybersecurity risks.
b. The processes by which the board is informed about cybersecurity risks, and the frequency
of its discussions on this topic.
c. Whether and how the board or board committee considers cybersecurity risks as part of its
business strategy, risk management, and financial oversight.