toppan merrill
  • Insights
  • About Us
  • Contact
  • Client Login

    Toppan Merrill Bridge™

    Content Control

    My Workspace

    Form N-MFP Online

    Toppan Merrill Document Delivery

    Toppan Merrill Insurance Solutions

    Section16Direct

    SEC Connect

    SOX Automation

  • EN

    English

    简体中文 (Simplified Chinese)

    繁體中文 (Traditional Chinese)

  •  
  • Capital Markets Transactions
    • Capital Markets Transactions

      Equity, Debt & IPO Offering Management Services

      M&A

       

       

       
       

      Capital Markets Transactions Resources

      Insights & Analysis

      Events

      SEC Resources

      EDGAR Resources

      XBRL Resources

       

       

      Capital Markets Transactions Products

      Bridge

      Built on the Microsoft® Office® platform, Bridge makes disclosure content management easier, faster and more accurate.

       

       

       

  • Regulatory Disclosure
    • Regulatory Disclosure for Corporations

      Annual Meeting & Proxy Solutions

      Periodic & Interim Reporting

      iXBRL and EDGAR for US-GAAP & IFRS Filers

      iXBRL for ESEF Filings

      SEDAR Filings

      Section 16 Filings

      Automated SOX Compliance

       

       

      Regulatory Disclosure for Investment Management

      Periodic & Interim Reporting and Prospectuses

      Component Content Management & Output

      Website Document Hosting

      Shareholder Preference Center

      Compliance Center for Variable Products

       

       

       

      Regulatory Disclosure Resources

      Insights & Analysis

      Events

      SEC Resources

      EDGAR Resources

      XBRL Resources

       

       

      Regulatory Disclosure Products

      Bridge

      Built on the Microsoft® Office® platform, Bridge makes disclosure content management easier, faster and more accurate.

       

       

      SOX Automation

      Intuitive SaaS technology that centralizes all business locations, processes, risks and controls delivering efficiency, transparency, and predictability of cost.

       

       

  • Sales & Marketing Communications
    • Sales and Marketing Communications

      Offerings

      Omni-channel communications

      Document Creation & Management

      Sales Enablement

      ADA Services

      Fulfillment & Distribution

      Printing Services

       

       

       

      Industries

      Financial Services

      Health Insurance

       

       

       

      Sales and Marketing Communications Resources

      Insights & Analysis

      Events

       

       

      Sales and Marketing Communications Products

      Connect

      Drive client engagement and streamline personalized, compliant communications from printing to leading-edge digital solutions.

       

       

       

  • Products
    TOPPAN MERRILL
    ConnectTM

    Connect helps drive client engagement and streamline personalized, compliant communications from printing to leading-edge digital solutions.

    TOPPAN MERRILL
    BridgeTM

    A seamless SaaS solution built on the Microsoft® Office® platform, Bridge is an intuitive technology that makes disclosure content management easier, faster and more accurate.

  • Resources
    •  
       

      Insights & Analysis

      Events

      SEC Resources

      XBRL Resources

      SEC EDGAR Resources, Definitions, and Processes

      Regulatory Compliance Glossary

       

       

       

toppan merrill
  • Capital Markets Transactions
    • Overview
    • Equity, Debt & IPO Offering Management Services
    • M&A
  • Regulatory Disclosure
    • For Corporations

      • Overview
      • Annual Meeting and Proxy Statement Solutions
      • Periodic & Interim Reporting
        • EDGAR & iXBRL for SEC Filings (US-GAAP & IFRS)
        • iXBRL for ESEF Filings
        • SEDAR Filings
        • Section 16 Filings
        • Automated SOX Compliance
    • For Investment

      • Overview
      • Prospectus for Investment Management
      • Periodic & Interim Reporting for Investment Management
        • Component Content Management & Output
        • Website Document Hosting
        • Shareholder Preference Center
        • Portfolio Specific Document Management for Variable Products
  • Sales & Marketing Communications
    • Overview
    • Offerings

      • Omni-Channel Communications
      • Document Creation & Management
      • Sales Enablement
      • ADA Services
      • Fulfillment & Distribution
      • Printing Services
    • Industries

      • Financial Services
      • Health Insurance
      • Dynamic Publishing for Health Insurance
  • Products
    • Connect
    • Bridge
    • SOX Automation
  • Resources
    • Insights & Analysis
    • Events
    • SEC Resources
    • SEC EDGAR Resources
    • XBRL Resources
    • glossary
  • Insights & Analysis
  • About Us
  • Contact
  • Client Login
    • Toppan Merrill BridgeTM
    • Content Control
    • My Workspace
    • Form N-MFP Online
    • Toppan Merrill Document Delivery
    • Toppan Merrill Insurance Solutions
    • Section16Direct
 

The SEC Proposes Cybersecurity Disclosure Rules! 4 Things to Know
By Perkins Coie on 22 March, 2022
1 min read | Industry Insights Insights Home

abstract-creative-financial-graph-on-modern-laptop-background-forex-picture-id1211908336

On Wednesday, March 9, 2022, the SEC proposed cybersecurity disclosure rules. Here’s the 129-page proposing release – and here’s the fact sheet. This proposal was much anticipated as it’s no secret that cybersecurity incidents are one of the more serious types of risk that any company faces today.

As highlighted in SEC Chair Gary Gensler’s statement, the intent of the rules is to make disclosures regarding cybersecurity more “consistent, comparable, and decision-useful.” Overall, the proposed rules are fairly prescriptive, consistent with other recent SEC proposals and a departure from the more principles-based focus of rulemaking under the prior SEC Chair. For cybersecurity topics, the specificity may be helpful to companies in determining how to craft disclosures.

But, as noted in Commissioner Hester Peirce’s dissenting statement, “the proposed rules pressure companies to consider adapting their existing policies and procedures to conform to the Commission’s preferred approach.” The comment period extends until the later of May 9th or 30 days after publication in the Federal Register.

Here are four things to know about the proposal:

1. Form 8-K Disclosure of Cyber Incidents, With Materiality-Linked Trigger: The proposed rules include new Form 8-K Item 1.05, which would be triggered by a company’s determination that it has experienced a material cybersecurity incident. Notably, like other Form 8-K items that rely on materiality determinations, the proposal provides that an untimely filing would not result in a loss of Form S-3 or Form SF-3 eligibility.

By making the disclosure trigger dependent upon a company’s determination that a material incident has occurred, the proposal provides needed flexibility in what can be a complicated process of assessing the effect of an incident. The proposal also places guardrails on this flexibility, including an instruction that “a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.”

But, in her comments during the open Commission meeting, Commissioner Allison Herren Lee called on commenters to provide insight on whether this flexibility makes the disclosure threshold too flexible. Similarly, the proposing release asks whether Form 8-K disclosure should be triggered by any cybersecurity incident. If the final rules were to require Form 8-K disclosure of all cybersecurity incidents, companies probably would face incredibly burdensome challenges in making meaningful and accurate disclosure in all cases, particularly considering the four-business day reporting requirement.

This is one of more challenging areas for disclosure controls and materiality determinations. Companies on the one hand don’t want to jump the gun and disclose a cybersecurity incident that makes it look more serious than it is. But they also should want to get disclosure about an incident out there as soon as possible – if it’s material – to stave off any potential litigation. It’s a tough road to navigate, particularly if the extent of an incident takes time to sleuth out accurately once the incident is detected.

2. Periodic Report Disclosures for Updating Form 8-K Disclosures: Two parts of proposed new Regulation S-K Item 106 would create requirements to update or supplement Form 8-K disclosures regarding cybersecurity incidents:

– Proposed Item 106(d)(1) would require disclosure of material changes, additions or updates to information included in the Form 8-K.

– If a company experienced a series of immaterial cybersecurity incidents that have become material in the aggregate, proposed Item 106(d)(2) would require disclosure in a periodic report (Form 10-Q or Form 10-K for the fourth quarter) for the quarter in which the company determines the incidents are material in the aggregate.

These requirements are akin to many other SEC reporting requirements for quarterly updates.

3. Form 10-K Disclosures: Proposed Regulation S-K Item 106 also covers disclosures that would be provided annually in Form 10-K in two categories:

– Risk management and strategy – Companies would be required to discuss, as necessary to adequately describe their policies and procedures, topics including risk assessment programs, risks associated with third-party service providers, and risks and incidents that have affected or are reasonably likely to affect the company’s results of operations or financial condition.

– Governance – Companies would be required to discuss both the board’s role in oversight of cybersecurity risk, and management’s role in assessing and managing cybersecurity risks and implementing related policies, procedures, and strategies. For management’s role, the proposal calls for disclosure of the relevant expertise of the company’s chief information security officer (CIO) and other members of management responsible for measuring and managing cybersecurity risk. A disclosure requirement about management expertise – which would potentially include managers beyond a company’s executive officers – would be unusual in the SEC’s disclosure framework.

4. Proxy Disclosure of Board Cybersecurity Expertise: The proposal would also amend Regulation S-K Item 407 to elicit disclosure regarding the cybersecurity expertise of board members, if any. This disclosure would be included in Part III of Form 10-K, meaning it would typically be disclosed in the proxy statement. Unlike the board financial expert disclosure that is already required, the proposal would require disclosure of any details necessary to describe the nature of the expertise. For good reason, there already has been a push by many boards to add directors with cybersecurity expertise. For those boards that don’t currently have directors with this kind of expertise, the SEC’s proposal might serve as a wake-up call.

View Source (for all formatting, tables, footnotes, etc.)

Share

Share on twitter Share on linkedin Share on facebook
Previous ArticleBack to the Future: CMS’ Oversight of Sales and Marketing
Next Article4 Elements of an Effective Member Communications Program for Firms

Subscribe

Subscribe

Subscribe

Subscribe

Perkins Coie



toppanmerrill.com


Show more posts from author

Capital Markets & Compliance;
 

Expert Support

The best-in-class partner for complex, secure communications. Contact Toppan Merrill today.

Contact Us

Subscribe to the Toppan Merrill Blog

Gain actionable insight on industry trends, best practices & successful strategies to help your business.

Subscribe

Blog Categories

  • Industry Trends
  • Shareholder Communications
  • 40 Act SEC Regulations
  • Digital Communications
  • Toppan Merrill Connect
  • Content Management
  • Print/Fulfillment

Blog Categories

  • Industry Trends
  • Shareholder Communications
  • 40 Act SEC Regulations
  • Digital Communications
  • Toppan Merrill Connect
  • Content Management
  • Print/Fulfillment

Blog Categories

  • Member Communications
  • Section 508 Compliance
  • Digital Communications
  • Toppan Merrill Connect

Blog Categories

  • Industry trends
  • Shareholder communications
  • 40 act SEC regulations
  • Digital communications
  • Toppan Merrill connect
  • Content management
  • Print/fulfillment

Most Popular Articles

Most Popular Articles

Most Popular Articles

Most Popular Articles

Regulatory Resources

  • SEC Resources
  • EDGAR Resources
  • XBRL Resources

Toppan Merrill Corporate Video

2022 Compliance Calendar

Toppan Merrill 2022 Compliance Calendar_DIGITAL_Page_01
Download

2022 Interactive Digital Compliance Calendar

2022 Interactive Digital Compliance Calendar

View Calendar

Regulatory Resources

  • SEC Resources
  • EDGAR Resources
  • XBRL Resources

Get Your Life Back

Learn More

Toppan Merrill Corporate Video

2022 COMPLIANCE CALENDAR

Toppan Merrill 2022 Compliance Calendar_DIGITAL_Page_01
Download

2022 Interactive Digital Compliance Calendar

2022 Interactive Digital Compliance Calendar

Download
Get Your Life Back
Learn More
Toppan Merrill Corporate Video

Regulatory Resources

  • SEC Resources
  • EDGAR Resources
  • XBRL Resources

Toppan Merrill Corporate Video

2022 COMPLIANCE CALENDAR

Toppan Merrill 2020 Compliance Calendar_DIGITAL_Page_01
Download

2022 Interactive Digital Compliance Calendar

2022 Interactive Digital Compliance Calendar

Download

Latest Blogs

Latest Blogs

Latest Blogs

Latest Blogs

ToppanMerrill logo

Expand Possible.

twitter linkedin

Solutions

  • Capital Markets Transactions
  • Regulatory Disclosures for Corporations
  • Regulatory Disclosures for Investment Management Companies
  • Financial Services Marketing & Communications
  • Health Insurance Marketing & Communications
  • Election Services

Technologies

  • Toppan Merrill Connect™
  • Toppan Merrill Bridge™

Blog

  • Insights

About Toppan Merrill

  • About Toppan Merrill
  • Operating Principles
  • Careers

Get In Touch

  • Contact Us

TERMS OF USE | PRIVACY NOTICE | TOPPAN MERRILL SERVICES AGREEMENT | TOPPAN MERRILL SUPPLIERS | GLOSSARY

© Toppan Merrill 2022

ToppanMerrill logo
Expand Possible.
` twitter linkedin
Solutions
  • Capital Markets Transactions
  • Regulatory Disclosures for Corporations
  • Regulatory Disclosures for Investment Management Companies
  • Financial Services Marketing & Communications
  • Health Insurance Marketing & Communications
  • Election Services
Technologies
  • Toppan Merrill ConnecTM
  • Toppan Merrill BridgeTM
BLOG
  • Insights
About Toppan Merrill
  • About Toppan Merrill
  • Operating Principles
  • Careers
Get In Touch
  • Contact Us

TERMS OF USE | PRIVACY NOTICE | TOPPAN MERRILL SERVICES AGREEMENT | TOPPAN MERRILL SUPPLIERS | GLOSSARY

© Toppan Merrill 2019