At an open meeting this morning, the Securities and Exchange Commission voted (with dissenters—see, for example, Commissioner Peirce’s statements) to adopt amendments aimed at enhancing and standardizing disclosures related to cybersecurity risks and incidents. The amendments were first proposed in March 2022 and generated significant comment both as a result of the prescriptive nature of the proposed disclosure requirements, as well as because the proposed amendments addressed a number of board level governance and cyber oversight matters. While the amendments reflect a number of the concerns raised by commenters, the rules remain fairly prescriptive. A registrant will be required to file a Form 8-K using new Item 1.05 in order to report a material cybersecurity incident and describe the material aspects of the incident. Regulation S-K is being amended to require that registrants describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, among other things. These significant changes come with a very short effective date.
A detailed client alert will follow.