Example: bachelor of science

Conformed to Federal Register version - SEC

Conformed to Federal Register version SECURITIES AND EXCHANGE COMMISSION. 17 CFR Parts 229, 232, 239, 240, and 249. [Release Nos. 33-11038; 34-94382; IC-34529; File No. S7-09-22]. RIN 3235-AM89. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure AGENCY: Securities and Exchange Commission. ACTION: Proposed rule. SUMMARY: The Securities and Exchange Commission ( Commission ) is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are proposing amendments to require current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant's policies and procedures to identify and manage cybersecurity risks, management's role in implementing cybersecurity policies and procedures, and the board of directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk.

Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Conformed to Federal Register version - SEC

1 Conformed to Federal Register version SECURITIES AND EXCHANGE COMMISSION. 17 CFR Parts 229, 232, 239, 240, and 249. [Release Nos. 33-11038; 34-94382; IC-34529; File No. S7-09-22]. RIN 3235-AM89. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure AGENCY: Securities and Exchange Commission. ACTION: Proposed rule. SUMMARY: The Securities and Exchange Commission ( Commission ) is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are proposing amendments to require current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant's policies and procedures to identify and manage cybersecurity risks, management's role in implementing cybersecurity policies and procedures, and the board of directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk.

2 Additionally, the proposed rules would require registrants to provide updates about previously reported cybersecurity incidents in their periodic reports. Further, the proposed rules would require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language ( Inline XBRL ). The proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents. DATES: Comments should be received on or before May 9, 2022. ADDRESSES: Comments may be submitted by any of the following methods: Electronic comments: Use the Commission's Internet comment form ( ). Send an email to Please include File Number S7-09-22 on the subject line; or Paper comments: Send paper comments to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090. All submissions should refer to File Number S7-09-22.

3 This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method of submission. The Commission will post all comments on the Commission's website ( ). Comments also are available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 and 3 Operating conditions may limit access to the Commission's public reference room. All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly. Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file of any such materials will be made available on our website.

4 To ensure direct electronic receipt 2. of such notifications, sign up through the Stay Connected option at to receive notifications by email. FOR FURTHER INFORMATION CONTACT: Ian Greber-Raines, Special Counsel, Office of Rulemaking, at (202) 551-3460, Division of Corporation Finance; and, with respect to the application of the proposal to business development companies, David Joire, Senior Special Counsel, at (202) 551-6825 or Chief Counsel's Office, Division of Investment Management, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549. SUPPLEMENTARY INFORMATION: We are proposing to amend or add the following rules and forms: Commission Reference CFR Citation (17 CFR). Regulation S-K 17 CFR through Items 106 and 407 and Regulation S-T 17 CFR through Rule 405 Securities Act of 1933 Form S-3 ( Securities Act ) 1. Form SF-3 Securities Exchange Act of 1934 Rule 13a-11 ( Exchange Act ) 2. Rule 15d-11 Schedule 14A Schedule 14C Form 20-F Form 6-K Form 8-K Form 10-Q Form 10-K 1.

5 15 77a et seq. 2. 15 78a et seq. 3. Table of Contents I. BACKGROUND .. 5. A. Existing Regulatory Framework and Interpretive Guidance Regarding Cybersecurity Disclosure12. B. Current Disclosure 16. II. PROPOSED AMENDMENTS .. 18. A. Overview .. 18. B. Reporting of Cybersecurity Incidents on Form 8-K .. 20. 1. Overview of Proposed Item of Form 8-K .. 20. 2. Examples of Cybersecurity Incidents that May Require Disclosure Pursuant to Proposed Item of Form 8-K .. 24. 3. Ongoing Investigations Regarding Cybersecurity Incidents .. 25. 4. Proposed Amendment to Form 6-K .. 26. 5. Proposed Amendments to the Eligibility Provisions of Form S-3 and Form SF-3 and Safe Harbor Provision in Exchange Act Rules 13a-11 and 15d-11 .. 27. C. Disclosure about Cybersecurity Incidents in Periodic Reports .. 32. 1. Updates to Previously Filed Form 8-K Disclosure .. 32. 2. Disclosure of Cybersecurity Incidents that Have Become Material in the 33. D. Disclosure of a Registrant's Risk Management, Strategy and Governance Regarding Cybersecurity Risks.

6 35. 1. Risk Management and Strategy .. 35. 2. Governance .. 38. 3. Definitions .. 41. E. Disclosure Regarding the Board of Directors' Cybersecurity Expertise .. 44. F. Periodic Disclosure by Foreign Private Issuers .. 48. G. Structured Data Requirements .. 49. III. ECONOMIC ANALYSIS .. 51. A. Introduction .. 51. B. Economic Baseline .. 56. 1. Current Regulatory 56. 2. Affected Parties .. 59. C. Potential Benefits and Costs of the Proposed 62. 1. 63. 4. a. Benefits to investors .. 64. (i) More Informative and More Timely Disclosure .. 64. (ii) Greater Uniformity and Comparability .. 68. b. Benefits to registrants .. 71. 2. Costs .. 74. 3. Indirect Economic Effects .. 80. D. Anticipated Effects on Efficiency, Competition, and Capital Formation .. 83. E. Reasonable Alternatives .. 84. 1. Website Disclosure .. 84. 2. Disclosure through Form 10-Q and Form 10-K .. 85. 3. Exempt Smaller Reporting Companies .. 86. 4. Modify Scope of Inline XBRL Requirement.

7 86. IV. PAPERWORK REDUCTION ACT .. 90. A. Summary of the Collection of Information .. 90. B. Summary of the Estimated Burdens of the Proposed Amendments on the Collections of Information .. 91. C. Incremental and Aggregate Burden and Cost Estimates .. 93. V. SMALL BUSINESS REGULATORY ENFORCEMENT FAIRNESS ACT .. 98. VI. INITIAL REGULATORY FLEXIBILITY ACT 99. A. Reasons for, and Objectives of, the Proposed 99. B. Legal Basis .. 99. C. Small Entities Subject to the Proposed Rules .. 99. D. Projected Reporting, Recordkeeping and Other Compliance Requirements .. 100. E. Duplicative, Overlapping, or Conflicting Federal 101. F. Significant 102. STATUTORY AUTHORITY AND TEXT OF PROPOSED RULE AND FORM. AMENDMENTS .. 104. I. BACKGROUND. Public company investors and other participants in the capital markets depend on companies' use of secure and reliable information systems to conduct their businesses. A. 5. significant and increasing amount of the world's economic activities occurs through digital technology and electronic communications.

8 3 In today's digitally connected world, cybersecurity threats and incidents pose an ongoing and escalating risk to public companies, investors, and market participants. 4 Cybersecurity risks have increased for a variety of reasons, including the digitalization of registrants' operations; 5 the prevalence of remote work, which has become even more widespread because of the COVID-19 pandemic; 6 the ability of cyber-criminals to 3. Bhaskar Chakravorti, Ajay Bhalla, & Ravi Shankar Chaturvedi, Which Economies Showed the Most Digital Progress in 2020?, HARV. BUS. REV. (Dec. 18, 2020), available at showed-the-most-digital-progress-in-2020 . See Percentage of Business Conducted Online, IBISWORLD, (last updated Jan. 13, 2022). See also Department of Commerce, Bureau of Economic Analysis, Updated Digital Economy Estimates-June 2021, available at ( The digital economy accounted for percent ($2, billion) of current-dollar gross domestic product ($21, billion) in 2019, according to new estimates from BEA.)

9 When compared with traditional industries or sectors, the digital economy ranked just below the manufacturing sector[.] ). 4. See Steve Morgan, Cybercrime to Cost The World $ Trillion Annually By 2025, CYBERCRIME MAGAZINE, (Nov. 13, 2020), available at ;. Matt Powell, 11 Eye Opening Cyber Security Statistics for 2019, CPO MAGAZINE (June 25, 2019) available at (The largest cybersecurity incidents involving public companies took place in the last ten years.); see Michael Hill and Dan Swinhoe, CSO, The 15 biggest data breaches of the 21st century, available at ; see , Commission Statement and Guidance on Public Company Cybersecurity Disclosures ( 2018 Interpretive Release ), Release No. 33-10459 (Feb. 26, 2018) No. 33- 10459 (Feb. 21, 2018) [83 FR 8166 Feb. 26, 2018], available at ( Companies today rely on digital technology to conduct their business operations and engage with their customers, business partners, and other constituencies. In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission.

10 5. See The US Digital Trust Insights Snapshot, PWC RESEARCH (June 2021), available at 6. See Stephen Klemash and Jamie Smith, What companies are disclosing about cybersecurity risk and oversight, EY (Aug. 10, 2020), available at cybersecurity-risk-and-oversight (noting [w]ith the COVID-19-driven accelerated shift to digital business and massive, potentially permanent shifts to remote working, including virtual board and executive management meetings, cybersecurity risks are exponentially greater. ). See Navigating Cyber 2021, FS-ISAC, available at See also Vikki Davis, Combating the cybersecurity risks of working home, CYBER MAGAZINE (Dec. 2, 2021), available at security/combating-cybersecurity-risks-w orking-home. See also Dave Burg, Mike Maddison, & Richard Watson, Cybersecurity: How do you rise above the waves of a perfect storm?, THE EY GLOB. INFO. SEC. SURVEY. (July 22, 2021), available at 6. monetize cybersecurity incidents, such as through ransomware, black markets for stolen data, and the use of crypto-assets for such transactions; 7 the growth of digital payments; 8 and increasing company reliance on third party service providers for information technology services, including cloud computing technology.


Related search queries