Key Takeaways
- The Securities and Exchange Commission (SEC) proposed amendments to mandate the disclosure of material cybersecurity incidents and cybersecurity risk management, strategy and governance.
- The proposed rules would require disclosure of material cybersecurity incidents on a Form 8-K within four business days of determining the event was material.
- In addition, the proposed rules would require periodic reporting regarding policies and procedures to identify and manage cybersecurity risks; the board of directors’ oversight of cybersecurity risk; management’s role and expertise in assessing and managing cybersecurity risk, and in implementing cybersecurity policies and procedures; and the board of directors’ cybersecurity expertise, if any.
- The public comment period will remain open for 60 days (or 30 days following publication of the release in the Federal Register if later).
Overview
On March 9, 2022, the SEC released proposed rules intended to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and cyber incident reporting by companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The SEC stated the proposed rules are intended to provide timely notification of material cybersecurity incidents; better inform investors about such companies’ risk management, strategy and governance; and enable investors to assess the possible long- and short-term financial or operational effects of a material cyber incident. These rules are part of a larger push by the SEC into cybersecurity regulation, including a proposed rule with respect to investment advisers and funds that was announced last month.[1]
As discussed in more detail below, the proposed rules would add new Item 1.05 to Form 8-K and require disclosure of material cybersecurity incidents within four business days of determining the event is material. In addition, proposed amendments to Regulation S-K, Form 10-K and 10-Q would require (1) updated disclosure regarding previously reported material incidents and disclosure of unreported incidents that have become material in the aggregate, and (2) periodic reporting about an issuer’s policies and procedures to identify and manage cybersecurity risks; the issuer’s board of directors’ oversight of cybersecurity risk; management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures; and the board of directors’ cybersecurity expertise, if any. These rules seek to formalize what many issuers are already doing in practice, but they would reduce flexibility and add time pressure for making a public disclosure before an incident has been fully investigated. Further, as noted in the dissenting statement to the proposals, the detailed reporting that would be required regarding an issuer’s policies and procedures may be viewed as a “list of expectations about what issuers’ cybersecurity programs should look like and how they should operate” rather than focusing on the need for material disclosure and these requirements put a spotlight on individual employees and board members involved in this process.[2]
The proposed changes to disclosure requirements follow.
1. Form 8-K Reporting of Material Cybersecurity Incidents. Form 8-K would be amended to add new Item 1.05, requiring issuers to disclose cybersecurity incidents within four days of making a determination that a cybersecurity incident is material.[3] Under the proposed rules, the materiality determination must be made “as soon as reasonably practical after discovery of the incident”; however, the trigger for calculating the filing deadline may occur later than the date of discovery of the incident. Additionally, the proposed rules contemplate that issuers will conduct the materiality analysis in accordance with current case law, taking into account both quantitative and qualitative factors.[4]
The Form 8-K requirements would require issuers to disclose the following information to the extent that it is known at the time of filing: (1) when the incident was discovered, and whether it is ongoing; (2) a brief description of the nature and scope of the incident; (3) whether any data was stolen altered, accessed or used for any other unauthorized purpose; (4) the effect of the incident on the issuer’s operations; and (5) whether the issuer has remediated or is currently remediating the incident. This disclosure may be required before an issuer has been able to complete its investigation of the matter and could not be delayed to facilitate an investigation by law enforcement; however, the commission’s comments indicate that it would not expect issuers to publicly disclose specific technical information at a level of detail that would impede response to or remediation of the incident.
2. Cybersecurity Incident Disclosures in Periodic Reports. There are two proposed changes to Regulation S-K that would require issuers to provide cybersecurity incident disclosures in their Form 10-Q or Form 10-K filings.[5]
a. Updates on previously reported incidents. Under proposed new Item 106(d) of Regulation S-K, issuers would be required to disclose in a Form 10-K or Form 10-Q any material changes, additions or updates related to previously disclosed material cybersecurity incidents for the period in which changes, additions or updates to information related to cybersecurity incidents occur or are discovered.[6] The required disclosures would include the following, if applicable: (1) any current or potential future material impact of the incident on the issuer’s operations and financial condition; (2) whether the issuer has remediated or is currently remediating the incident; and (3) any changes in the issuer’s policies and procedures, and how the incident may have informed such changes.
b. Series of previously unreported incidents. Item 106(d) would also require issuers to disclose the following regarding a series of previously undisclosed immaterial cybersecurity incidents that become material when viewed in the aggregate: (1) when the incidents were discovered, and whether they are ongoing; (2) nature and scope of the incidents; (3) whether any data was stolen or altered; (4) impact on the issuer’s operations and actions; and (5) whether the issuer remediated the incidents or is currently remediating them. It is not clear over what period of time incidents would need to be viewed for making the determination of materiality.
3. Disclosures Related to Risk Management, Strategy and Governance. Proposed amendments to Regulation S-K require issuers to provide disclosures related to cybersecurity policies and procedures, and governance.
a. Risk Mitigation and Strategy. Proposed Item 106(b) would require issuers to disclose whether it (1) has implemented a cybersecurity risk assessment program, and provide a description of the program; (2) engages third parties in connection with such program; (3) has policies and procedures to oversee and identify cybersecurity risks related to third-party service providers, including whether/how cyber risk affects the selection and oversight of providers and contractual other mechanisms used to mitigate risk; (4) undertakes activities to prevent, detect and minimize effect of cybersecurity incidents; (5) has business continuity, contingency and recovery plans in place; (6) made changes to governance, policies and procedures, or technologies informed by previous cybersecurity incidents; (7) determined that incidents have affected or are likely to affect results of operations or financial condition, and if so, how; and (8) considers cybersecurity risks as part of business strategy, financial planning and capital allocation, and if so, how.
b. Governance. Proposed Item 106(c) would require disclosure of oversight of cybersecurity risk by the board and management.
i. Board-related disclosures would include (1) whether the entire board, specific members or a board committee is responsible for oversight; (2) process by which board is informed about risks, and the frequency of discussion on this topic; and (3) whether and how the board or board committee considers cyber risks as part of business strategy, risk management and financial oversight.
ii. Management related disclosures would include (1) whether certain positions or committee are responsible for measuring and managing cybersecurity risk, including prevention, mitigation, detection and remediation of incidents, and the relevant experience of such persons; (2) whether issuer has a chief information security officer (or comparable position), and if so, to whom the individual reports within the organizational chart, and relevant expertise of any such persons; (3) the processes by which responsible persons or committees are informed about and monitor prevention, mitigation, detection and remediation of incidents; and (4) whether and how frequently responsible persons or committees report to the board or committee of the board on cyber risk.
4. Disclosure Regarding the Board of Directors’ Cybersecurity Expertise. A proposed amendment to Item 407(j) of Regulation S-K would require disclosure about the cybersecurity expertise of members of the board of directors. If any member of the board has cybersecurity expertise, the issuer would have to disclose the name of any such director and describe the nature of the expertise. The proposed rule does not define “cybersecurity expertise” but advises issuers to consider the following criteria for determining whether a director has expertise in cybersecurity: (1) prior work experience in cybersecurity; (2) certification or degree in cybersecurity; and (3) knowledge, skill or other background in cybersecurity. The proposed rule further states that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including for purposes of Section 11 of the Securities Act, and that Item 407(j) is not intended to increase the duties or liability of the person with such expertise or decrease the duties or liability of other board members.
The public comment period for the proposed rules will remain open for 60 days, or 30 days following publication of the release in the Federal Register if later.
[1] See https://www.sec.gov/news/press-release/2022-20.
[2] See Commissioner Peirce’s dissenting statement at https://www.sec.gov/news/statement/peirce-statement-cybersecurity-030922.
[3] Foreign private issuers (FPIs) are not required to file current reports on Form 8-K. Accordingly, the commission is proposing to amend Form 6-K to impose the same disclosure requirements on FPIs.
[4] The rule proposal provides the following examples of incidents that may be material: (1) an unauthorized incident that has compromised the confidentiality, integrity or availability of an information asset (data, system or network) or violated the issuer’s security policies or procedures (whether accidental or a deliberate attack); (2) an unauthorized incident that caused degradation, interruption, loss of control, damage to or loss of operational technology systems; (3) an incident in which an unauthorized party accessed or a party exceeded authorized access and altered or has stolen sensitive business information, personally identifiable information, intellectual property or information that has resulted, or may result, in a loss or liability for the issuer; (4) an incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or (5) an incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.
[5] To ensure that FPI will be required to provide the same disclosures, corresponding amendments are being proposed to Form 20-F and Form 40-F.
[6] Issuers may still be required to file an amended 8-K where the disclosure becomes inaccurate or materially misleading based on subsequent developments in the incident, including where the impact of the incident is determined to be significantly more severe than when initially disclosed.
[View source.]
