On March 9, 2022, the Securities and Exchange Commission (SEC) proposed new rules that would require U.S. public companies to report their material cybersecurity incidents and to provide disclosure in their periodic reports about their cybersecurity risk management and governance. The proposed rules would represent a significant expansion in the reporting obligations and transparency around public companies’ cyber risk management policies and procedures and the oversight role of management and boards of directors in managing companies’ cybersecurity risk.[1] The proposed rules also reflect the fundamental shift in focus on cybersecurity risk by the Biden Administration and the impact domestically and globally of such risk across the financial markets.
New Proposed Form 8-K Reporting of Material Cybersecurity Incidents
The proposed rules would add new Item 1.05 to Form 8-K, which would require a company to file its Form 8-K within four business days of determining that it has experienced a material cybersecurity incident.[2] The report would need to describe the following (to the extent known):
- When the incident was discovered and whether it is ongoing;
- A brief description…
