On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.
The proposed rules will be open for public comment until May 9.
Know the Terminology
The proposed rules would require a public company to make a Form 8-K disclosure of a “material cybersecurity incident” within four days. A Form 8-K is a notification to shareholders of specific events. If an organization needs to file a Form 8-K but does not, the consequences could be severe, including delisting. Other types of forms would be subject to more amendments (Forms 6-K, 10-Q, 10-K) as part of the proposed rule changes. Therefore, do not gloss over the definitions, because they outline scope and reporting rules. The wording is very specific.
Cybersecurity Incident: an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein (footnote 48 of the proposed changes).
Information Systems: information resources owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of a registrant’s information to ma ..
Support the originator by clicking the read the rest link below.
