Skip to Content

Four Takeaways From the SEC's Proposed Cyber Rule for Public Companies

What Happened?

On March 9, the Securities and Exchange Commission (SEC) published a proposed rule, File No. S7-09-22, that would significantly impact public companies' cybersecurity reporting obligations. Among other things, the rule would require:

  • Reporting through Form 8-K within four business days of the company's determination that it has experienced a "material cybersecurity incident."
  • Standardized and periodic disclosures on Form 10-K or, where applicable, Form 10-Q, of, among other things:
    • Cybersecurity policies and procedures;
    • Management's role in implementing those policies and procedures;
    • Board of directors' cybersecurity expertise, if any;
    • Updates regarding previously reported material cybersecurity incidents; and
    • Previously undisclosed immaterial cybersecurity incidents if they become material in the aggregate.

The SEC is receiving comments through early May 2022.

Four Takeaways for Publicly Traded Companies

These are significant proposed changes, which place the SEC's determination of the proper timing and content of an incident disclosure well ahead of what most states' laws currently require. Four of our top takeaways are as follows:

  1. Given the short, four-business-day reporting obligation for material cybersecurity incidents, a company must prepare now for prompt detection, investigation, and response to those incidents. This preparatory work should include:
    1. Solidifying data maps (i.e., where is the company's data);
    2. Drafting, revising, and testing incident response plans;
    3. Developing relationships with key third parties, including law enforcement, forensics, and counsel; and
    4. Identifying outside counsel and media relations personnel to assist in drafting the Form 8-K disclosure and responding to what is often near-immediate investor, regulator, and other third party inquiry.
  2. In light of the focus on disclosures related to board oversight and experience, companies should review their board composition to include one or more members familiar with cybersecurity issues. Board meetings should include cybersecurity as a standing agenda item with presentations from management and outside experts as needed. For financial services companies that are already subject to Title 23, Part 500 of the New York state regime, much of this will be familiar.
  3. With the SEC compelling additional transparency regarding cybersecurity risks, events, and oversight, companies with existing, robust cybersecurity programs may enjoy a competitive advantage over their peers that do not have such programs. Management of such companies may also want to revisit retention and succession planning for their key cyber leaders, because this rule, if adopted, would lead to even tighter competition for cyber talent among public companies.
  4. The SEC's focus on cybersecurity portends continued enforcement risk for public companies and regulated entities. Further, the rule and its disclosure obligations may increase class action litigation risk for public companies. This is a subject we have reported on in our firm's recent Class Action Survey.

We will monitor developments in connection with the proposed rule and provide further updates.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.