Skip to main content

SEC Releases New Proposal for Public Company Disclosures of Cybersecurity Incidents, Risk Management, and Governance Policies and Procedures

Client memorandum | March 14, 2022

In a proposal issued last week titled “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” (the “Proposal”), the SEC teed up a new cybersecurity disclosure and reporting rule, following February’s proposal for SEC-registered funds and investment companies to manage and disclose cybersecurity risks and report incidents.  If approved, the Proposal would require (i) current reporting of cybersecurity incidents within four business days after a company has determined that an incident is material, with periodic updates about such previously reported incidents (with no delayed disclosure exceptions based on ongoing law enforcement investigations); and (ii) periodic disclosures regarding cybersecurity risk management, board and management oversight, and director cybersecurity expertise.  In this memorandum, we summarize the Proposal and set forth some recommendations for registrants to consider.

Additional information

icon View File

This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm’s data policy page for further information.