Example: bachelor of science

Conformed to Federal Register version

Conformed to Federal Register version SECURITIES AND EXCHANGE COMMISSION. 17 CFR Parts 229, 232, 239, 240, and 249. [Release Nos. 33-11038; 34-94382; IC-34529; File No. S7-09-22]. RIN 3235-AM89. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure AGENCY: Securities and Exchange Commission. ACTION: Proposed rule. SUMMARY: The Securities and Exchange Commission ( Commission ) is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.

10459.pdf (“Companies today rely on digital technology to conduct their business operations and engage with their customers, business partners, and other constituencies. In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public

Tags:

  Companies

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Conformed to Federal Register version

1 Conformed to Federal Register version SECURITIES AND EXCHANGE COMMISSION. 17 CFR Parts 229, 232, 239, 240, and 249. [Release Nos. 33-11038; 34-94382; IC-34529; File No. S7-09-22]. RIN 3235-AM89. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure AGENCY: Securities and Exchange Commission. ACTION: Proposed rule. SUMMARY: The Securities and Exchange Commission ( Commission ) is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.

2 Specifically, we are proposing amendments to require current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant's policies and procedures to identify and manage cybersecurity risks, management's role in implementing cybersecurity policies and procedures, and the board of directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk. Additionally, the proposed rules would require registrants to provide updates about previously reported cybersecurity incidents in their periodic reports.

3 Further, the proposed rules would require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language ( Inline XBRL ). The proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents. DATES: Comments should be received on or before May 9, 2022. ADDRESSES: Comments may be submitted by any of the following methods: Electronic comments: Use the Commission's Internet comment form ( ).

4 Send an email to Please include File Number S7-09-22 on the subject line; or Paper comments: Send paper comments to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090. All submissions should refer to File Number S7-09-22. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method of submission. The Commission will post all comments on the Commission's website ( ).

5 Comments also are available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 and 3 Operating conditions may limit access to the Commission's public reference room. All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly.

6 Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file of any such materials will be made available on our website. To ensure direct electronic receipt 2. of such notifications, sign up through the Stay Connected option at to receive notifications by email. FOR FURTHER INFORMATION CONTACT: Ian Greber-Raines, Special Counsel, Office of Rulemaking, at (202) 551-3460, Division of Corporation Finance; and, with respect to the application of the proposal to business development companies , David Joire, Senior Special Counsel, at (202) 551-6825 or Chief Counsel's Office, Division of Investment Management, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.

7 SUPPLEMENTARY INFORMATION: We are proposing to amend or add the following rules and forms: Commission Reference CFR Citation (17 CFR). Regulation S-K 17 CFR through Items 106 and 407 and Regulation S-T 17 CFR through Rule 405 Securities Act of 1933 Form S-3 ( Securities Act ) 1. Form SF-3 Securities Exchange Act of 1934 Rule 13a-11 ( Exchange Act ) 2. Rule 15d-11 Schedule 14A Schedule 14C Form 20-F Form 6-K Form 8-K Form 10-Q Form 10-K 1. 15 77a et seq. 2. 15 78a et seq. 3. Table of Contents I. BACKGROUND.

8 5. A. Existing Regulatory Framework and Interpretive Guidance Regarding Cybersecurity Disclosure12. B. Current Disclosure 16. II. PROPOSED AMENDMENTS .. 18. A. Overview .. 18. B. Reporting of Cybersecurity Incidents on Form 8-K .. 20. 1. Overview of Proposed Item of Form 8-K .. 20. 2. Examples of Cybersecurity Incidents that May Require Disclosure Pursuant to Proposed Item of Form 8-K .. 24. 3. Ongoing Investigations Regarding Cybersecurity Incidents .. 25. 4. Proposed Amendment to Form 6-K .. 26. 5. Proposed Amendments to the Eligibility Provisions of Form S-3 and Form SF-3 and Safe Harbor Provision in Exchange Act Rules 13a-11 and 15d-11.

9 27. C. Disclosure about Cybersecurity Incidents in Periodic Reports .. 32. 1. Updates to Previously Filed Form 8-K Disclosure .. 32. 2. Disclosure of Cybersecurity Incidents that Have Become Material in the 33. D. Disclosure of a Registrant's Risk Management, Strategy and Governance Regarding Cybersecurity Risks .. 35. 1. Risk Management and Strategy .. 35. 2. Governance .. 38. 3. Definitions .. 41. E. Disclosure Regarding the Board of Directors' Cybersecurity Expertise .. 44. F. Periodic Disclosure by Foreign Private Issuers.

10 48. G. Structured Data Requirements .. 49. III. ECONOMIC ANALYSIS .. 51. A. Introduction .. 51. B. Economic Baseline .. 56. 1. Current Regulatory 56. 2. Affected Parties .. 59. C. Potential Benefits and Costs of the Proposed 62. 1. 63. 4. a. Benefits to investors .. 64. (i) More Informative and More Timely Disclosure .. 64. (ii) Greater Uniformity and Comparability .. 68. b. Benefits to registrants .. 71. 2. Costs .. 74. 3. Indirect Economic Effects .. 80. D. Anticipated Effects on Efficiency, Competition, and Capital Formation.


Related search queries