SEC proposes rules regarding cybersecurity-related disclosures

On March 9, 2022, the SEC released proposed rule amendments regarding various required cybersecurity-related disclosures. Among other stipulations, the proposed amendments would require:

• Current reporting about material cybersecurity incidents on Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident. The SEC would not expect a registrant to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impeded the registrant’s response or remediation of the incident. However, to the extent the information is known at the time of the Form 8-K filing, the disclosure should include:
  • When the incident was discovered and whether it is ongoing
  • A brief description of the nature and scope of the incident
  • Whether any data was stolen, altered, accessed or used for any other unauthorized purpose
  • The effect of the incident on the registrant’s operations
  • Whether the registrant has remediated or is currently remediating the incident
• Periodic reporting on Form 10-Q and Form 10-K to provide updated disclosure about previously reported cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate
• Annual reporting in Form 10-K to provide disclosure about:
  • The registrant’s policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including, among other matters, whether the registrant considers cybersecurity as part of its business strategy, financial planning and capital allocation
  • The registrant’s cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks
  • Management’s role, and relevant expertise, in assessing and managing cybersecurity-related risks and implementing related policies, procedures and strategies
• Annual reporting or proxy disclosure about the board of directors’ cybersecurity expertise, if any, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise
• The cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language

This article was written by RSM US LLP and originally appeared on Mar 10, 2022.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/financial-reporting/sec-proposes-rules-regarding-cybersecurity-related-disclosures.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.