SEC Proposes Cybersecurity Disclosure Rule For Public Companies

Continuing its active regulatory agenda, the Securities and Exchange Commission on March 9, 2022, proposed new cybersecurity regulations for reporting public companies. Although couched as a series of “disclosure” requirements, the proposed list of required disclosures can be viewed as a de facto prescription of what public companies must do and say on cybersecurity; that prompted Commissioner Peirce to dissent.

The Proposed Rule would require reporting public companies to promptly disclose “material cybersecurity incidents” and their response, updating those disclosures in regularly-recurring periodic reports. More significantly though, the Proposed Rule sets out a series of required disclosures about registrants’ risk management policies and procedures, strategic view of cybersecurity issues and governance practices around cybersecurity – including the specific, detailed cybersecurity experience or expertise among directors and management.

The Proposing Release cites the SEC’s 2018 Interpretive Release on disclosure of material cybersecurity issues under the rubric of many existing Rules. See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018) No. 33-10459 (Feb. 21, 2018) [83 FR 8166], available here. That lengthy discussion of how existing Rules compel material cybersecurity disclosures begs the question of whether the new, more prescriptive, Rules even are necessary. The Release posits they are, because existing disclosure practices still vary considerably.

The Proposal broadly mirrors the Commission’s action last month proposing a similar rule for advisers and investment companies. I discussed that proposal here.

Commissioner Peirce dissented, as she did to the Adviser Cybersecurity Rule Proposal. Her main concerns were that the Proposed Rule:

  • Micromanaged Board and Management composition and actions on cybersecurity;
  • Was unduly prescriptive by an agency not well suited to address cybersecurity; and,
  • Was unnecessary in light of the 2018 Guidance.

Her dissenting statement may be found here.

The Proposing Release, Rel. No. 33-11038, File S&-09-22 is here. Comments are due May 9.

Thomas K. Potter, III ( is a partner in the Securities Litigation Practice Group at Burr & Forman LLP. Tom is licensed in Tennessee, Texas, and Louisiana. He has over 35 years of experience representing financial institutions in litigation, regulatory, and compliance matters.

Posted in: Cyber Security, SEC
Jump to Page
Arrow icon Top

Contact Us

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.