SEC Proposed Cybersecurity Rules – What They Are and What Our … – JD Supra

Paul Hastings LLP
What are the new rules?
Earlier this year, the Securities and Exchange Commission (“SEC”) published a new set of proposed cybersecurity disclosure rules for public companies. The proposed rules would significantly increase SEC scrutiny of public companies’ cybersecurity-related business activities, decision-making processes, and the Board’s new role in overseeing cybersecurity.
These proposed rules signal the increasing importance the SEC places on cybersecurity, going farther than any federal agency to date in placing obligations on public companies and their Boards of Directors. One of the most significant new obligations requires public company Board oversight and involvement in the review, assessment, and implementation of cybersecurity policies and procedures. The proposed rules also create stronger and more uniform guidelines for companies regarding disclosures, and ongoing supplementation, of “material” cybersecurity incidents.
The comment period for these rules ended on May 9, 2022, with hundreds of comments submitted. While we do not yet have a date for when the rules will be finalized or effective, given the significant changes that are likely to be included in the new rules, companies and their boards should take steps to prepare now.
What are some of the key requirements if the rules are adopted?
If the SEC adopts the rules similar to their proposed form, the key obligations include:
What is changing from the current rules?
Companies and their senior leadership will be held to a higher standard. Under the new rules, companies will be required to develop and maintain reasonable cybersecurity practices, describe those practices in public filings, explain how their senior leadership oversee those programs effectively, and report cybersecurity incidents in a way that provides appropriate information to shareholders.
The rules will be clearer (hopefully). While more granular and potentially burdensome than in the past, the new rules will provide clarity on and solidify earlier guidance and the outcomes of recent SEC enforcements. Current rules, guidance, and enforcements have created an inconsistent and potentially confusing standard for cybersecurity that will be remedied, at least in part, by these new rules.
More, and more detailed, documentation will be required. Among the recent findings in various SEC enforcements is the clear message from the Commission that it believes that cybersecurity incident reports often lack detail, are inconsistent, and are not timely. The new rules provide guidelines for the content, timing, and format of incident reports and periodic disclosures. The new rules also require adequate documentation of companies’ cybersecurity and risk management programs.
What should companies be doing to prepare?
Review cybersecurity and risk management documents. Cybersecurity and risk management systems can take months to update. Companies should start reviewing and updating these programs now. Companies should pay particular attention to changes in their technology infrastructure, recent acquisitions and mergers, changes in the threat landscape, and lessons learned from any recent security incidents.
Educate your Board. With all the new requirements for oversight being placed on the Board, the Board will need to ensure that it is prepared to oversee the cybersecurity and risk management policies and procedures of the company. However, few Boards have historically been provided with enough detail to take on this task. Determine whether the full Board, or a subset of the Board, will be primarily responsible for oversight, and ensure that they have been properly educated and approve of the company’s policies and procedures.
Review your incident response plans. All companies should have an incident response plan, but we recommend a review of such plan in light of these new proposed rules. Your incident response team should be aware of this timeline and know whether and how to escalate as needed. The incident response plan should also have a clear escalation plan for raising significant or material incidents with senior leadership and the Board. The window for reporting a material incident to the SEC is four days—that is a shorter notification period than any other U.S. law. Like the other cybersecurity policies and procedures, the Board should be educated on the incident response plan and then participate in a table top exercise to simulate a real incident.
Identify what materiality means to your company. Any decision on the materiality of an incident, which would require notification within four days, should be made by the company’s legal team and the senior leadership as appropriate. The Company should specifically ensure that both the incident response plan and operating environment have the appropriate procedures for escalation to the legal team and senior management who will make the materiality determinations.
See more
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Paul Hastings LLP | Attorney Advertising
Refine your interests »
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page