Policy Briefing — SEC Cybersecurity Disclosure Proposal
The U.S. Securities and Exchange Commission proposed rule amendments on March 9, 2022 requiring public companies to disclose material cybersecurity incidents within four business days and describe governance, risk management, and board oversight practices.
Executive briefing: On the U.S. Securities and Exchange Commission (SEC) voted to propose Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure amendments to Regulation S-K and Form 8-K. The proposal would mandate current reporting of material incidents, annual disclosures on risk management programs, and transparency into board-level cyber oversight.
Core requirements
- Form 8-K Item 1.05. Registrants must disclose material cybersecurity incidents within four business days, describing scope, timing, and impact.
- Periodic reporting. Annual reports must explain risk assessment processes, third-party oversight, incident response playbooks, and how prior incidents shaped governance.
- Board expertise. Companies must describe cybersecurity oversight responsibilities and identify directors with cybersecurity expertise.
Implementation guidance
- Align incident response escalation procedures with the proposed four-business-day disclosure clock, including legal reviews and board notification workflows.
- Document cybersecurity risk management practices, supplier diligence, and board briefings to support narrative disclosures under proposed Regulation S-K Item 106.
- Inventory director skills matrices and succession plans to address the proposed requirement to disclose cybersecurity expertise at the board level.