Why did the SEC issue this rule?? How did the SEC respond to comments on the rule proposal? Did the SEC do too little? or too much? or is the f
Answer the two questions below:
- Why did the SEC issue this rule?
- How did the SEC respond to comments on the rule proposal? Did the SEC do “too little” or “too much” or is the final rule “just right”? Justify your answer with appropriate evidence from the SEC rule.
Notes: Your answer can be between 300 to 1000 words. Be sure to check your answer for any spelling and grammar errors.
Find attached the material you need to complete the assignment, also if you need more information you can check the below website.
1
Conformed to Federal Register version
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 229, 232, 239, 240, and 249
[Release Nos. 33-11216; 34-97989; File No. S7-09-22]
RIN 3235-AM89
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
AGENCY: Securities and Exchange Commission.
ACTION: Final rule.
SUMMARY: The Securities and Exchange Commission (“Commission”) is adopting new rules
to enhance and standardize disclosures regarding cybersecurity risk management, strategy,
governance, and incidents by public companies that are subject to the reporting requirements of
the Securities Exchange Act of 1934. Specifically, we are adopting amendments to require
current disclosure about material cybersecurity incidents. We are also adopting rules requiring
periodic disclosures about a registrant’s processes to assess, identify, and manage material
cybersecurity risks, management’s role in assessing and managing material cybersecurity risks,
and the board of directors’ oversight of cybersecurity risks. Lastly, the final rules require the
cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language
(“Inline XBRL”).
DATES: Effective date: The amendments are effective September 5, 2023.
Compliance dates: See Section II.I (Compliance Dates).
FOR FURTHER INFORMATION CONTACT: Nabeel Cheema, Special Counsel, at (202)
551-3430, in the Office of Rulemaking, Division of Corporation Finance; and, with respect to the
application of the rules to business development companies, David Joire, Senior Special
2
Counsel, at (202) 551-6825 or [email protected], Chief Counsel’s Office, Division of Investment
Management, U.S. Securities and Exchange Commission, 100 F Street NE, Washington, DC
20549.
SUPPLEMENTARY INFORMATION: We are adopting amendments to:
Commission Reference CFR Citation (17 CFR)
Regulation S-K §§ 229.10 through 229.1305 Items 106 and 601 §§ 229.106 and 229.601 Regulation S-T §§ 232.10 through 232.903 Rule 405 § 232.405
Securities Act of 1933 (“Securities Act”)1
Form S-3 § 239.13
Securities Exchange Act of 1934 (“Exchange Act”)2
Rule 13a-11 § 240.13a-11
Rule 15d-11 § 240.15d-11 Form 20-F § 249.220f Form 6-K § 249.306 Form 8-K § 249.308 Form 10-K § 249.310
1 15 U.S.C. 77a et seq. 2 15 U.S.C. 78a et seq.
3
Table of Contents I. Introduction and Background ……………………………………………………………………………………. 5 II. Discussion of Final Amendments …………………………………………………………………………….. 13
A. Disclosure of Cybersecurity Incidents on Current Reports ……………………………………. 13 1. Proposed Amendments ……………………………………………………………………………………. 13 2. Comments ……………………………………………………………………………………………………… 16 3. Final Amendments ………………………………………………………………………………………….. 27
B. Disclosures about Cybersecurity Incidents in Periodic Reports ……………………………… 46 1. Proposed Amendments ……………………………………………………………………………………. 46 2. Comments ……………………………………………………………………………………………………… 48 3. Final Amendments ………………………………………………………………………………………….. 50
C. Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks …………………………………………………………………………………………………… 53
1. Risk Management and Strategy ………………………………………………………………………… 53 a. Proposed Amendments ………………………………………………………………………………. 53 b. Comments ………………………………………………………………………………………………… 56 c. Final Amendments …………………………………………………………………………………….. 60
2. Governance ……………………………………………………………………………………………………. 65 a. Proposed Amendments ………………………………………………………………………………. 65 b. Comments ………………………………………………………………………………………………… 67 c. Final Amendments …………………………………………………………………………………….. 68
3. Definitions……………………………………………………………………………………………………… 71 a. Proposed Definitions ………………………………………………………………………………….. 71 b. Comments ………………………………………………………………………………………………… 72 c. Final Definitions ……………………………………………………………………………………….. 75
D. Disclosure Regarding the Board of Directors’ Cybersecurity Expertise ………………….. 81 1. Proposed Amendments ……………………………………………………………………………………. 81 2. Comments ……………………………………………………………………………………………………… 82 3. Final Amendments ………………………………………………………………………………………….. 85
E. Disclosure by Foreign Private Issuers…………………………………………………………………. 85 1. Proposed Amendments ……………………………………………………………………………………. 85 2. Comments ……………………………………………………………………………………………………… 86 3. Final Amendments ………………………………………………………………………………………….. 87
F. Structured Data Requirements …………………………………………………………………………… 88 1. Proposed Amendments ……………………………………………………………………………………. 88 2. Comments ……………………………………………………………………………………………………… 88 3. Final Amendments ………………………………………………………………………………………….. 88
G. Applicability to Certain Issuers …………………………………………………………………………. 89 1. Asset-Backed Issuers ………………………………………………………………………………………. 89 2. Smaller Reporting Companies ………………………………………………………………………….. 91
H. Need for New Rules and Commission Authority …………………………………………………. 93 I. Compliance Dates ………………………………………………………………………………………….. 107
III. OTHER MATTERS……………………………………………………………………………………………… 107 IV. ECONOMIC ANALYSIS …………………………………………………………………………………….. 108
A. Introduction …………………………………………………………………………………………………… 108
4
B. Economic Baseline…………………………………………………………………………………………. 112 1. Current Regulatory Framework ………………………………………………………………………. 112 2. Affected Parties …………………………………………………………………………………………….. 117
C. Benefits and Costs of the Final Rules ……………………………………………………………….. 118 1. Benefits ……………………………………………………………………………………………………….. 119
a. More Timely and Informative Disclosure……………………………………………………. 119 b. Greater Uniformity and Comparability ……………………………………………………….. 130
2. Costs ……………………………………………………………………………………………………………. 134 3. Indirect Economic Effects………………………………………………………………………………. 143
D. Effects on Efficiency, Competition, and Capital Formation …………………………………. 145 E. Reasonable Alternatives………………………………………………………………………………….. 146
1. Website Disclosure ……………………………………………………………………………………….. 146 2. Disclosure through Periodic Reports ……………………………………………………………….. 147 3. Exempt Smaller Reporting Companies …………………………………………………………….. 148
V. PAPERWORK REDUCTION ACT ……………………………………………………………………….. 150 A. Summary of the Collections of Information ………………………………………………………. 150 B. Summary of Comment Letters and Revisions to PRA Estimates ………………………….. 151 C. Effects of the Amendments on the Collections of Information …………………………….. 152 D. Incremental and Aggregate Burden and Cost Estimates for the Final Amendments .. 154
VI. FINAL REGULATORY FLEXIBILITY ANALYSIS ……………………………………………… 158 A. Need for, and Objectives of, the Final Amendments …………………………………………… 158 B. Significant Issues Raised by Public Comments ………………………………………………….. 158
1. Estimate of Affected Small Entities and Impact to Those Entities ……………………….. 160 2. Consideration of Alternatives …………………………………………………………………………. 162
C. Small Entities Subject to the Final Amendments ……………………………………………….. 165 D. Projected Reporting, Recordkeeping, and other Compliance Requirements …………… 165 E. Agency Action to Minimize Effect on Small Entities …………………………………………. 166
Statutory Authority ……………………………………………………………………………………………………… 169
5
I. Introduction and Background
On March 9, 2022, the Commission proposed new rules, and rule and form amendments,
to enhance and standardize disclosures regarding cybersecurity risk management, strategy,
governance, and cybersecurity incidents by public companies that are subject to the reporting
requirements of the Exchange Act.3 The proposal followed on interpretive guidance on the
application of existing disclosure requirements to cybersecurity risk and incidents that the
Commission and staff had issued in prior years.
In particular, in 2011, the Division of Corporation Finance issued interpretive guidance
providing the Division’s views concerning operating companies’ disclosure obligations relating
to cybersecurity (“2011 Staff Guidance”).4 In that guidance, the staff observed that “[a]lthough
no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a
number of disclosure requirements may impose an obligation on registrants to disclose such risks
and incidents,” and further that “material information regarding cybersecurity risks and cyber
incidents is required to be disclosed when necessary in order to make other required disclosures,
in light of the circumstances under which they are made, not misleading.”5 The guidance pointed
specifically to disclosure obligations under 17 CFR 229.503 (Regulation S-K “Item 503(c)”)
(Risk factors) (since moved to 17 CFR 229.105 (Regulation S-K “Item 105”)), 17 CFR 229.303
(Regulation S-K “Item 303”) (Management’s discussion and analysis of financial condition and
results of operations), 17 CFR 229.101 (Regulation S-K “Item 101”) (Description of business),
17 CFR 229.103 (Regulation S-K “Item 103”) (Legal proceedings), and 17 CFR 229.307
3 See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11038
(Mar. 9, 2022) [87 FR 16590 (Mar. 23, 2022)] (“Proposing Release”). 4 See CF Disclosure Guidance: Topic No. 2—Cybersecurity (Oct. 13, 2011), available at
https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 5 Id.
6
(Disclosure controls and procedures), as well as to Accounting Standards Codifications 350-40
(Internal-Use Software), 605-50 (Customer Payments and Incentives), 450-20 (Loss
Contingencies), 275-10 (Risks and Uncertainties), and 855-10 (Subsequent Events).6
In 2018, “[i]n light of the increasing significance of cybersecurity incidents,” the
Commission issued interpretive guidance to reinforce and expand upon the 2011 Staff Guidance
and also address the importance of cybersecurity policies and procedures, as well as the
application of insider trading prohibitions in the context of cybersecurity (“2018 Interpretive
Release”).7 In addition to discussing the provisions previously covered in the 2011 Staff
Guidance, the new guidance addressed 17 CFR 229.407 (Regulation S-K “Item 407”) (Corporate
Governance), 17 CFR Part 210 (“Regulation S-X”), and 17 CFR Part 243 (“Regulation FD”).8
The 2018 Interpretive Release noted that companies can provide current reports on Form 8-K
and Form 6-K to maintain the accuracy and completeness of effective shelf registration
statements, and it also advised companies to consider whether it may be appropriate to
implement restrictions on insider trading during the period following an incident and prior to
disclosure.9
As noted in the Proposing Release, current disclosure practices are varied. For example,
while some registrants do report material cybersecurity incidents, most typically on Form 10-K,
review of Form 8-K, Form 10-K, and Form 20-F filings by staff in the Division of Corporation
Finance has shown that companies provide different levels of specificity regarding the cause,
scope, impact, and materiality of cybersecurity incidents. Likewise, staff has also observed that,
6 Id. 7 See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-
10459 (Feb. 21, 2018) [83 FR 8166 (Feb. 26, 2018)], at 8167. 8 Id. 9 Id.
7
while the majority of registrants that are disclosing cybersecurity risks appear to be providing
such disclosures in the risk factor section of their annual reports on Form 10-K, the disclosures
are sometimes included with other unrelated disclosures, which makes it more difficult for
investors to locate, interpret, and analyze the information provided.10
In the Proposing Release, the Commission explained that a number of trends underpinned
investors’ and other capital markets participants’ need for more timely and reliable information
related to registrants’ cybersecurity than was produced following the 2011 Staff Guidance and
the 2018 Interpretive Release. First, an ever-increasing share of economic activity is dependent
on electronic systems, such that disruptions to those systems can have significant effects on
registrants and, in the case of large-scale attacks, systemic effects on the economy as a whole.11
Second, there has been a substantial rise in the prevalence of cybersecurity incidents, propelled
by several factors: the increase in remote work spurred by the COVID-19 pandemic; the
increasing reliance on third-party service providers for information technology services; and the
rapid monetization of cyberattacks facilitated by ransomware, black markets for stolen data, and
crypto-asset technology.12 Third, the costs and adverse consequences of cybersecurity incidents
to companies are increasing; such costs include business interruption, lost revenue, ransom
payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost
assets, litigation risks, and reputational damage.13
10 See infra Section IV.A (noting that current cybersecurity disclosures appear in varying sections of companies’
periodic and current reports and are sometimes included with other unrelated disclosures). 11 Proposing Release at 16591-16592. See also U.S. FINANCIAL STABILITY OVERSIGHT COUNCIL, ANNUAL
REPORT (2021), at 168, available at https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf (finding that “a destabilizing cybersecurity incident could potentially threaten the stability of the U.S. financial system”).
12 Proposing Release at 16591-16592. 13 Id.
8
Since publication of the Proposing Release, these trends have continued apace, with
significant cybersecurity incidents occurring across companies and industries. For example,
threat actors repeatedly and successfully executed attacks on high-profile companies across
multiple critical industries over the course of 2022 and the first quarter of 2023, causing the
Department of Homeland Security’s Cyber Safety Review Board to initiate multiple reviews.14
Likewise, state actors have perpetrated multiple high-profile attacks, and recent geopolitical
instability has elevated such threats.15 A recent study by two cybersecurity firms found that 98
percent of organizations use at least one third-party vendor that has experienced a breach in the
last two years.16 In addition, recent developments in artificial intelligence may exacerbate
cybersecurity threats, as researchers have shown that artificial intelligence systems can be
leveraged to create code used in cyberattacks, including by actors not versed in programming.17
Overall, evidence suggests companies may be underreporting cybersecurity incidents.18
14 See Department of Homeland Security, Cyber Safety Review Board to Conduct Second Review on Lapsus$
(Dec. 2, 2022), available at https://www.dhs.gov/news/2022/12/02/cyber-safety-review-board-conduct-second- review-lapsus; see also Tim Starks, The Latest Mass Ransomware Attack Has Been Unfolding For Nearly Two Months, WASH. POST (Mar. 27, 2023), available at https://www.washingtonpost.com/politics/2023/03/27/latest- mass-ransomware-attack-has-been-unfolding-nearly-two-months/.
15 See, e.g., Press Release, Federal Bureau of Investigation, FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony’s Horizon Bridge Currency Theft (Jan. 23, 2023), available at https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys- horizon-bridge-currency-theft; Alert (AA22-257A), Cybersecurity & Infrastructure Security Agency, Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations (Sep. 14, 2022), available at https://www.cisa.gov/uscert/ncas/alerts/aa22-257a; National Security Agency et al., Joint Cybersecurity Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure (Apr. 20, 2022), available at https://media.defense.gov/2022/Apr/20/2002980529/-1/-1/1/joint_csa_russian_state- sponsored_and_criminal_cyber_threats_to_critical_infrastructure_20220420.pdf.
16 SecurityScorecard, Cyentia Institute and SecurityScorecard Research Report: Close Encounters of the Third (and Fourth) Party Kind (Feb 1, 2023), available at https://securityscorecard.com/research/cyentia-close- encounters-of-the-third-and-fourth-party-kind/.
17 Check Point Research, OPWNAI: AI that Can Save the Day or Hack it Away (Dec. 19, 2022), available at https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hack-it-away.
18 Bitdefender, Whitepaper: Bitdefender 2023 Cybersecurity Assessment (Apr. 2023), available at https://businessresources.bitdefender.com/bitdefender-2023-cybersecurity-assessment.
9
Legislatively, we note two significant developments occurred following publication of
the Proposing Release. First, the President signed into law the Cyber Incident Reporting for
Critical Infrastructure Act of 2022 (“CIRCIA”)19 on March 15, 2022, as part of the Consolidated
Appropriations Act of 2022.20 The centerpiece of CIRCIA is the reporting obligation placed on
companies in defined critical infrastructure sectors.21 Once rules are adopted by the
Cybersecurity & Infrastructure Security Agency (“CISA”), these companies will be required to
report covered cyber incidents to CISA within 72 hours of discovery, and report ransom
payments within 24 hours.22 Importantly, reports made to CISA pursuant to CIRCIA will remain
confidential; while the information contained therein may be shared across Federal agencies for
cybersecurity, investigatory, and law enforcement purposes, the information may not be
disclosed publicly, except in anonymized form.23 We note that CIRCIA also mandated the
creation of a “Cyber Incident Reporting Council . . . to coordinate, deconflict, and harmonize
Federal incident reporting requirements” (the “CIRC”), of which the Commission is a member.24
Second, on December 21, 2022, the President signed into law the Quantum Computing
Cybersecurity Preparedness Act, which directs the Federal Government to adopt technology that
is protected from decryption by quantum computing, a developing technology that may increase
19 Cyber Incident Reporting for Critical Infrastructure Act of 2022, Pub. L. No. 117-103, 136 Stat. 1038 (2022). 20 Consolidated Appropriations Act of 2022, H.R. 2471, 117th Cong. (2022). 21 The sectors are defined in Presidential Policy Directive / PPD-21, Critical Infrastructure Security and Resilience
(Feb. 12, 2013), as: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; Water and Wastewater Systems. Because these sectors encompass some private companies and do not encompass all public companies, CIRCIA’s reach is both broader and narrower than the set of companies subject to the rules we are adopting.
22 6 U.S.C. 681b(a)(1). 23 6 U.S.C. 681e. See infra Section II.A.3 for a discussion of why our final rules serve a different purpose and are
not at odds with the goals of CIRCIA. 24 6 U.S.C. 681f.
10
computer processing capacity considerably and thereby render existing computer encryption
vulnerable to decryption.25
We received over 150 comment letters in response to the Proposing Release.26 The
majority of comments focused on the proposed incident disclosure requirement, although we also
received substantial comment on the proposed risk management, strategy, governance, and board
expertise requirements. In addition, the Commission's Investor Advisory Committee adopted
recommendations (“IAC Recommendation”) with respect to the proposal, stating that it: supports
the proposed incident disclosure requirement; supports the proposed risk management, strategy,
and governance disclosure requirements; recommends the Commission reconsider the proposed
board of directors’ cybersecurity expertise disclosure requirement; suggests requiring companies
to disclose the key factors they used to determine the materiality of a reported cybersecurity
25 Quantum Computing Cybersecurity Preparedness Act, H.R. 7535, 117th Cong. (2022). More recently, the
White House released a National Cybersecurity Strategy to combat the ongoing risks associated with cyberattacks. The National Cybersecurity Strategy seeks to rebalance the responsibility for defending against cyber threats toward companies instead of the general public, and looks to realign incentives to favor long-term investments in cybersecurity. See Press Release, White House, FACT SHEET: Biden- Harris Administration Announces National Cybersecurity Strategy (Mar. 2, 2023), available at https://www.whitehouse.gov/briefing- room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national- cybersecurity-strategy/.
26 The public comments we received are available at https://www.sec.gov/comments/s7-09-22/s70922.htm. On Mar. 9, 2022, the Commission published the Proposing Release on its website. The comment period for the Proposing Release was open for 60 days from issuance and publication on SEC.gov and ended on May 9, 2022. One commenter asserted that the comment period was not sufficient and asked the Commission to extend it by 30 days. See letter from American Chemistry Council (“ACC”). In Oct. 2022, the Commission reopened the comment period for the Proposing Release and other rulemakings because certain comments on the Proposing Release and other rulemakings were potentially affected by a technological error in the Commission’s internet comment form. See Resubmission of Comments and Reopening of Comment Periods for Several Rulemaking Releases Due to a Technological Error in Receiving Certain Comments, Release No. 33-11117 (Oct. 7, 2022) [87 FR 63016 (Oct. 18, 2022)] (“Reopening Release”). The Reopening Release was published on the Commission’s website on Oct. 7, 2022 and in the Federal Register on Oct. 18, 2022, and the comment period ended on Nov. 1, 2022. A few commenters asserted that the comment period for the reopened rulemakings was not sufficient and asked the Commission to extend the comment period for those rulemakings. See, e.g., letters from Attorneys General of the states of Montana et al. (Oct. 24, 2022) and U.S. Chamber of Commerce (Nov. 1, 2022). We have considered all comments received since Mar. 9, 2022 and do not believe an additional extension of the comment period is necessary.
11
incident; and suggests extending the proposed 17 CFR 229.106 (Regulation S-K “Item 106”)
disclosure requirements to registration statements.27
We are making a number of important changes from the Proposing Release in response to
comments received. With respect to incident disclosure, we are narrowing the scope of
disclosure, adding a limited delay for disclosures that would pose a substantial risk to national
security or public safety, requiring certain updated incident disclosure on
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.