Preparing For The Cybersecurity Disclosure Rules

In the first of a few ESG-related rules to come, the SEC has announced new proposed disclosure rules on cybersecurity. The agency previously hinted that it planned to update the current cybersecurity rules in place, but likely accelerated the rulemaking process in light of what an SEC spokesperson called “special relevance” linked to the Ukraine crisis. While these proposed rules will need to go through a public comment period and review, it is expected they will be in place by early summer.

As many of us have experienced in recent past, data breaches are on the rise. The Identity Theft Resource Center’s 2021 Annual Data Breach Report found in 2021 there were 1,862 data compromises, a 68% increase from 2020. As the growing number of incidents has intensified risks, cybersecurity has quickly become a hot topic for stakeholders such as customers, investors, and regulators.

While many companies have already adopted cybersecurity policies and programs, the disclosures are inconsistent and can live in corporate sustainability reports, corporate websites, or SEC filings. The SEC’s proposed disclosure rules intend to create consistency and structure within cybersecurity reporting for publicly listed companies.

Under the SEC’s proposed cybersecurity rules, public companies would need to:

  1. Disclose material cybersecurity incidents in an 8-K within 4 days of the company’s realization that the incident occurred. (Note: This is different than when the incidences themselves actually occurred. It is when the company has determined the breach(es) are material.)
  2. In addition, in their forms 10-K and 10-Q, issuers would be required to give updates on previously disclosed cybersecurity incidents and disclose where any series of immaterial incidents became material in the aggregate.
  3. In the 10-K, companies would be required to disclose their procedures for identifying and managing cybersecurity risks, including explicit board oversight of and direct expertise with cybersecurity risk and management’s role in the implementation of cybersecurity programs.

How ESG Infinite Can Help

Recently, we discussed how to strengthen your cybersecurity programs. Following the 3 steps outlined in our article will get you off to a solid start. From there, using the guidance within ESG Infinite’s cybersecurity and data privacy key topic section is a great way to ensure you are headed in the right direction.

Second, the data privacy policy checklist is comprised of all the factors you may need to consider including in your policies and programs. The checklist takes into account the major ratings agencies and what they look for in corporate disclosures. As we learn more about the new SEC requirements, it will also clearly identify which topics you need to disclose and where the disclosures should live.

Lastly, you can view examples of what other companies have already disclosed. At ESG Infinite, we closely monitor new reporting standards and best practices. ESG Infinite’s library of 500+ sample disclosures cover ESG examples from a starter level to best practice, small cap to large cap companies, and various industries.

To learn more about how ESG Infinite can help you develop strong cybersecurity disclosures, contact us.