New Cybersecurity Rules by the SEC

To supplement the current disclosures and bring coherence to public company disclosures, the Securities Exchange Commission (SEC) is proposing amendments to its rules regarding cybersecurity risk management, strategy, governance, and incident reporting.

 SEC Rules on Cybersecurity Risk Management

A vital aspect of the proposal includes a mandate for cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL). A global industry standard, iXBRL renders the disclosures in a digital format that is machine-readable. Data is tagged according to an internationally accredited taxonomy, making it easy for the machine, regulator, investors, and other stakeholders to analyze, evaluate, compare and validate. 

Titled “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” the SEC has mandated that public companies will have to follow the following reporting requirements: 

Form 8-K

  • A four business day window for registrants to disclose information about a material cybersecurity incident;
  • Previously reported cybersecurity incidents are to be updated on a new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F.
  • “Cybersecurity incidents” to become a distinct reporting topic under Form 6-K.

Disclosures based on risk management, strategy, and governance

  • The measures, policies, and procedures were taken by the filer to identify and manage cybersecurity risks;
  • Role of leadership in ensuring implementation of these processes and policies
  • Cybersecurity proficiency and expertise among the company’s Board of directors and
  • Updates about previously reported material cybersecurity incidents.

The SEC believes that these proposed rule amendments would improve the ability of investors to evaluate public companies’ cybersecurity practices and incident reporting.

As cybersecurity risks grow, public issuers get increasingly concerned about data leaks. Investors strive to ensure that companies are equipped to handle and manage these risks if and when they occur. While this information is already part of current disclosures, the SEC would like to enhance the data to be consistent, comparable, and decision-useful. Using iXBRL will help ensure a standardized format to review, assess and monitor cybersecurity measures.

While these rules are still in the stage of being a proposal, a comment period exists – 60 days following publication of the proposing news release on the SEC’s website or 30 days following publication of the release in the Federal Register, whichever ends later.

As the deadline nears, we’d love to know what you think about these proposed rules. Feel free to contact an iXBRL expert to understand how you could prepare yourselves for your company.