On March 9, 2022, the U.S. Securities and Exchange Commission (the “SEC”) released proposed amendments (the “Proposed Amendments”) aimed at enhancing and standardizing disclosure relating to cybersecurity risks and incidents. Under the existing regulatory framework, neither Regulation S-K nor Regulation S-X expressly requires that cybersecurity risk management procedures, cybersecurity risks or incidents be disclosed. However, the SEC’s Division of Corporation Finance published disclosure guidance in 2011, which was followed by SEC interpretive guidance issued in 2018, explaining when registrants may be required to disclose information in SEC filings relating to cybersecurity risks and incidents under the principles-based disclosure framework, while considering the materiality of such risks and incidents.
Additional Authors: Kimberly Ayudant and Marc X.W. Leong.