Summary of

New Proposed SEC Disclosures for Cybersecurity

May 9, 2022
Prepared by Rod Hackman

OVERVIEW: SEC Quote: “The Securities and Exchange Commission (“Commission”) is proposing rules
to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and
cybersecurity incident reporting by public companies that are subject to the reporting requirements of the
Securities Exchange Act of 1934. Specifically, we are proposing amendments to require current reporting
about material cybersecurity incidents. We are also proposing to require periodic disclosures about a
registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in
implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if
any, and its oversight of cybersecurity risk. Additionally, the proposed rules would require registrants to
provide updates about previously reported cybersecurity incidents in their periodic reports.”

Summary of Proposals

1. Timing of Reporting: Requires registrants to disclose information about a cybersecurity incident

within four business days after the registrant determines that it has experienced a material
cybersecurity incident. A cybersecurity incident is defined to include an unauthorized occurrence
on or through a registrant’s “information systems” including “information resources owned or used
by the registrant”. Furthermore, the SEC asks, “Would the registrants be reasonably able to obtain
information to make a material determination about cybersecurity incidents affecting information
resources that are used but not owned by them?” The SEC questions if a safe harbor is appropriate
for third party cybersecurity incidents. A non-exclusive list of cybersecurity incidents triggering
disclosure includes the following:
a. An unauthorized incident that has compromised the confidentiality, integrity, or availability
of an information asset (data, system, or network); or violated the registrant’s security
policies or procedures. Incidents may stem from the accidental exposure of data or from a
deliberate attack to steal or alter data.
b. An unauthorized incident that caused degradation, interruption, loss of control, damage to,
or loss of operational technology systems.
c. An incident in which an unauthorized party accessed, or a party exceeded authorized access,
and altered, or has stolen sensitive business information, personally identifiable information,
intellectual property, or information that has resulted, or may result, in a loss or liability for
the registrant.
d. An incident in which a malicious actor has offered to sell or has threatened to publicly
disclose sensitive company data; or
e. An incident in which a malicious actor has demanded payment to restore company data that
was stolen or altered.

2. Previously Disclosed Incident Reporting: Requires registrants to provide updated disclosure

relating to previously disclosed cybersecurity incidents. Non-exclusive examples include:
a. Any material impact of the incident on the registrant’s operations and financial condition.
b. Any potential material future impacts on the registrant’s operations and financial condition.
c. Whether the registrant has remediated or is currently remediating the incident; and
d. Any changes in the registrant’s policies and procedures as a result of the cybersecurity
incident, and how the incident may have informed such changes.

3. Reporting When a Series of Previously Undisclosed Incidents Becomes Material: Requires

disclosure, to the extent known to management, when a series of previously undisclosed individually
immaterial cybersecurity incidents has become material in the aggregate. At that point registrants
would need to disclose:
a. When the incidents were discovered and whether they are ongoing.
b. A brief description of the nature and scope of such incidents.
c. Whether any data was stolen or altered.
d. The impact of such incidents on the registrant’s operations and registrant’s actions.
e. Whether the registrant has remediated or is currently remediating the incidents.

4. Policies & Procedures: Disclose registrant’s policies and procedures, if any, for identifying and
managing cybersecurity risks.
a. Require registrants to provide more consistent information disclosure regarding their
cybersecurity risk management and strategy.
b. Disclosure of relevant policies and procedures, to the extent a registrant has established any,
to identify and manage cybersecurity risks and threats including operational risk; intellectual
property theft; fraud; extortion; harm to employees or customers; violation of privacy laws
and other litigation and legal risk; and reputational risk. Specifically, whether:
i. The registrant has a cybersecurity risk assessment program and if so, provide a
description of such program.
ii. The registrant engages assessors, consultants, auditors, or other third parties in
connection with any cybersecurity risk assessment program.
iii. The registrant has policies and procedures to oversee and identify the
cybersecurity risks associated with its use of any third-party service provider
(including, but not limited to, those providers that have access to the
registrant’s customer and employee data), including whether and how
cybersecurity considerations affect the selection and oversight of these
providers and contractual and other mechanisms the company uses to mitigate
cybersecurity risks related to these providers.
iv. The registrant undertakes activities to prevent, detect, and minimize effects of
cybersecurity incidents.
v. The registrant has business continuity, contingency, and recovery plans in the
event of a cybersecurity incident.
vi. Previous cybersecurity incidents have informed changes in the registrant’s
governance, policies and procedures, or technologies.
 vii. Cybersecurity related risk and incidents have affected or are reasonably likely
to affect the registrant’s results of operations or financial condition and if so,
how; and
viii. Cybersecurity risks are considered as part of the registrant’s business strategy,
financial planning, and capital allocation and if so, how.

5. Governance: Disclosure regarding board oversight of a registrant’s cybersecurity risk and the
inclusion or exclusion of management from the oversight of cybersecurity risks and the
implementation of related policies, procedures, and strategies impacts an investor’s ability to
understand how a registrant prepares for, prevents, or responds to cybersecurity incidents.
Disclosure of a registrant’s cybersecurity governance, including the board’s oversight of
cybersecurity risk and a description of management’s role in assessing and managing cybersecurity
risks, the relevant expertise of such management, and its role in implementing the registrant’s
cybersecurity policies, procedures, and strategies. Specifically, where it pertains to board oversight:
a. Whether the entire board, specific board members or a board committee is responsible for
the oversight of cybersecurity risks.
b. The processes by which the board is informed about cybersecurity risks, and the frequency
of its discussions on this topic.
c. Whether and how the board or board committee considers cybersecurity risks as part of its
business strategy, risk management, and financial oversight.

6. Management’s Role: Disclose a description of management’s role in assessing and managing

cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures,
and strategies. This description would include but not be limited to, the following information:
a. Whether certain management positions or committees are responsible for measuring and
managing cybersecurity risk, specifically the prevention, mitigation, detection, and
remediation of cybersecurity incidents, and the relevant expertise of such persons or
members.
b. Whether the registrant has a designated a chief information security officer, or someone in a
comparable position, and if so, to whom that individual reports within the registrant’s
organizational chart, and the relevant expertise of any such persons.
c. The processes by which such persons or committees are informed about and monitor the
prevention, mitigation, detection, and remediation of cybersecurity incidents; and
d. Whether and how frequently such persons or committees report to the board of directors or
a committee of the board of directors on cybersecurity risk.
7. Board Cybersecurity Expertise: Disclosure about if any member of the registrant’s board of
directors has cybersecurity expertise. Although the SEC would not define what constitutes
“cybersecurity expertise” given that such expertise may cover different experiences, skills, and
tasks, it includes the following non-exclusive list of criteria that a registrant should consider in
reaching a determination on whether a director has expertise in cybersecurity:
a. Whether the director has prior work experience in cybersecurity, including, for example,
prior experience as an information security officer, security policy analyst, security auditor,
security architect or engineer, security operations or incident response manager, or business
continuity planner.
b. Whether the director has obtained a certification or degree in cybersecurity; and
c. Whether the director has knowledge, skills, or other background in cybersecurity, including,
for example, in the areas of security policy and governance, risk management, security
assessment, control evaluation, security architecture and engineering, security operations,
incident handling, or business continuity planning.