On March 9, 2022, the SEC voted to propose rules mandating sweeping cybersecurity measures for public companies and foreign private issuers.[1] Most notably, the rules would impose a 4-day reporting requirement for domestic issuers who have experienced a “material cybersecurity incident.” The rules would also require foreign issuers to disclose information about material cybersecurity incidents on Forms 6-K and 20-F.
The proposed rules broadly define a “cybersecurity incident” to cover effectively any intrusion of a company’s systems: “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
