SEC Proposes Rules to Enhance and Standardize Cybersecurity‑Related Disclosure for Public Companies

On March 17, 2022, Cravath prepared a memo for its clients entitled “SEC Proposes Rules to Enhance and Standardize Cybersecurity‑Related Disclosure for Public Companies,” which summarizes the agency’s proposed new rules, released on March 9, 2022, for disclosures of cybersecurity incidents, risk management, strategy and governance. The proposed rules include requirements for current disclosure of material cybersecurity incidents and periodic disclosures on certain forms and proxy statements, and apply the same rules to foreign private issuers as proposed for domestic public companies. The memo also analyzes the SEC’s earlier series of issuances of interpretive guidance and the potential effects of the proposed change on companies’ compliance procedures. In sum, the memo concludes that, if adopted as proposed, these rules will create the first cybersecurity-specific disclosure obligations for public companies, and may lead to operational and governance changes for many companies.

Please click here to read the memo.