This content was published prior to the merger of equals between BKD and DHG on June 1, 2022. See all FORsights for the most up-to-date articles, webinars, and videos.
SEC to Beef Up Cyber Rules & Disclosures
Cybersecurity threats pose an ongoing and escalating risk to public companies, investors, and market participants. Cybersecurity incidents are becoming more sophisticated and frequent. The SEC recently issued two proposals to enhance and standardize disclosure on cybersecurity risk management, strategy, governance, and incident reporting for registrants and investment advisers.
The most recent proposal, issued on March 9, 2022, covers registrants and would:
- Require current reporting about material cybersecurity incidents on Form 8-K
- Require the following periodic disclosures:
- A registrant’s policies and procedures to identify and manage cybersecurity risks
- Management’s role in implementing cybersecurity policies and procedures
- Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk
- Require updates about previously reported material cybersecurity incidents
Comments are due May 9, 2022, or 30 days after publication in the Federal Register, whichever is later.
For additional details on these potential changes, see BKD article “Public Companies Face New Cybersecurity Rules.”
The earlier proposal, issued February 9, 2022, would create new rules to enhance cybersecurity preparedness and improve the resilience of investment advisers and investment companies against cybersecurity threats and attacks as follows:
- Require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks
- Require advisers to report significant cybersecurity incidents to the SEC on proposed Form ADV-C
- Enhance adviser and fund disclosures related to cybersecurity risks and incidents
- Require advisers and funds to maintain, make, and retain certain cybersecurity-related books and records
Comments are due April 11, 2022, or 30 days after publication in the Federal Register, whichever is later.
For additional details on these potential changes, see BKD article “New Cyber Rules Proposed for Investment Funds & Advisers.”
Conclusion
We will continue to follow this developing situation. If you have questions about these changes, contact your advisor today.
