Defining Issues | March 2022

 

Insight

SEC proposes cybersecurity rules

Proposed rules seek to enhance and standardize risk management, strategy, governance and incident disclosures.

The proposed rules would increase the prominence of required disclosure of cybersecurity incidents in several corporate filings, including annual and quarterly filings and current reports. The proposal would also require disclosure of a  registrant’s policies and procedures to identify and manage cybersecurity risks; management’s role in implementing cybersecurity policies, procedures and strategies; as well as the board of directors’ oversight and expertise.

Applicability


Relevant dates

  • Comments are due May 9, 2022.

Key impacts

The SEC issued a Fact Sheet summarizing the key provisions of the proposed rules. The cybersecurity disclosure guidance issued by the SEC staff in 2011 and by the Commission in 2018 would supplement the proposed rules, if adopted.

Material cybersecurity incidents to be reported on Form 8-K

Form 8-K would require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that the incident was material.

This information would include:

  • When the incident was discovered and whether it is ongoing.
  • A brief description of the nature and scope of the incident.
  • Whether any data was stolen, altered, accessed or used for any unauthorized purpose.
  • The effect of the incident on the registrant’s operations.
  • Whether the registrant has remediated, or is currently remediating, the incident.

 

Additional cybersecurity incident disclosure in periodic report

Forms 10-Q and 10-K would require disclosure of material changes, additions or updates of incidents previously disclosed in Form 8-K.

The proposal includes ‘non-exclusive’ examples of the types of disclosures that would be provided, including:

  • Any material impact of the incident on the registrant’s operations and financial condition.
  • Any potential material future impacts on the registrant’s operations and financial condition.
  • Whether the registrant has remediated, or is currently remediating, the incident.
  • Any changes in the registrant’s policies and procedures because of the cybersecurity incident, and how the incident may have informed such changes.

The proposal would also require disclosure, or updates to previous disclosures, when a series of previously undisclosed individually immaterial cybersecurity incidents have become material in the aggregate.

 

Cybersecurity risk management, strategy and governance disclosures

Risk management and strategy

Form 10-K would require registrants to provide consistent and informative disclosures regarding their policies and procedures around cybersecurity risk management and strategy, including, among other things, whether:

  • The registrant has a cybersecurity risk assessment program and, if so, a description of the program.
  • The registrant engages assessors, consultants, auditors or other third parties in any cybersecurity risk assessment program.
  • The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider.
  • The registrant undertakes activities to prevent, detect and minimize effects of cybersecurity incidents.
  • Cybersecurity-related risks and incidents have affected, or are reasonably likely to affect, the registrant’s results of operations or financial condition.

Governance

The proposal would also require disclosures about the board of directors’ oversight of cybersecurity risk, board member cybersecurity expertise, and management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures and strategies.

Foreign Private Issuers (FPIs)

  • The proposed amendments would align incident reporting and periodic disclosures of FPIs on Forms 6-K and 20-F with those proposed for domestic registrants

Structured data requirements

  • The proposal would require registrants to report and disclose cybersecurity information in Inline XBRL format.


Related content

Subscribe to our newsletter

Receive timely updates on accounting and financial reporting topics from KPMG.

Receive timely updates on accounting and financial reporting topics from KPMG.

ARO

Use our Accounting Research Online for financial reporting resources.

Use our Accounting Research Online for financial reporting resources.