SEC proposes rules regarding cybersecurity-related disclosures

Mar 10, 2022
Audit Financial reporting SEC matters

On March 9, 2022, the SEC released proposed rule amendments regarding various required cybersecurity-related disclosures. Among other stipulations, the proposed amendments would require:

  • Current reporting about material cybersecurity incidents on Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident. The SEC would not expect a registrant to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impeded the registrant’s response or remediation of the incident. However, to the extent the information is known at the time of the Form 8-K filing, the disclosure should include:
    • When the incident was discovered and whether it is ongoing
    • A brief description of the nature and scope of the incident
    • Whether any data was stolen, altered, accessed or used for any other unauthorized purpose
    • The effect of the incident on the registrant’s operations
    • Whether the registrant has remediated or is currently remediating the incident
  • Periodic reporting on Form 10-Q and Form 10-K to provide updated disclosure about previously reported cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate
  • Annual reporting in Form 10-K to provide disclosure about:
    • The registrant’s policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including, among other matters, whether the registrant considers cybersecurity as part of its business strategy, financial planning and capital allocation
    • The registrant’s cybersecurity governance, including the board of directors' oversight role regarding cybersecurity risks
    • Management’s role, and relevant expertise, in assessing and managing cybersecurity-related risks and implementing related policies, procedures and strategies
  • Annual reporting or proxy disclosure about the board of directors’ cybersecurity expertise, if any, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise
  • The cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language

Subscribe to Financial Reporting Insights

Stay informed with our biweekly resource for recent financial reporting developments, including AICPA, SEC, PCAOB matters and other finance and accounting compliance considerations.