Earlier this month, the U.S. Securities and Exchange Commission’s (SEC) 2023 Spring Unified Agenda of Regulatory and Deregulatory Actions was released. The agenda identifies the rules that the agency expects to consider in the next 12 months and includes an anticipated action date for finalizing rules for cybersecurity disclosure by public companies by October 2023. This alert provides guidance on what companies should be doing to prepare now.
Overview of the Proposed Rules
As we reported previously, the proposed rules would require current and periodic reporting of material cybersecurity incidents as well as more detailed disclosure of cybersecurity risk management, expertise, and governance. The proposal defines “cybersecurity incident” as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
Material Incident Reporting Within Four Business Days. The proposed rules would amend Form 8-K to include new Item 1.05 requiring disclosure of a cybersecurity incident within four business days of the date that the company determines that the incident is material. The SEC states that what is “material” in the context of a cybersecurity incident will be consistent with the concept of materiality under the federal securities laws generally, i.e., “there is a substantial likelihood that a reasonable shareholder would consider it important’.”1 And while materiality must be determined in the context of the relevant facts and circumstances, the proposed release provides useful examples of cybersecurity incidents that may, if found to be material, require disclosure. These examples include incidents that damage operational systems; unauthorized access to and loss of sensitive business or personal data or intellectual property; and incidents in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data. The proposed rules would specify that the materiality determination must be made as soon as reasonably practicable after discovery of the incident—and that the existence of ongoing remediation or investigations, including law enforcement investigations, would not be grounds for a delay in reporting.
Reporting on Previous Incidents. The proposed rules would amend Forms 10-Q and 10-K to include new Item 106(d). Item 106(d) would require material updates on a cybersecurity incident that was previously reported on Form 8-K—and would also require disclosures of previously undisclosed and individually immaterial cybersecurity incidents, if those individually immaterial incidents had become material when considered in the aggregate.
Policies, Government, and Management. The proposed rules would amend Form 10-K to include new Items 106(b) and (c) of Regulation S-K, which would require disclosures relating to cybersecurity policies, governance, and management. These disclosures would address how the board conducts cybersecurity oversight, as well as management's role and expertise in evaluating and managing cybersecurity risks and implementing cybersecurity policies.
Board Expertise. The proposed rules would add new Item 407(j) of Regulation S-K, which would require a proxy statement or Form 10-K to disclose whether any board member has cybersecurity expertise, naming them and detailing such expertise, such as prior work experience, education, or other background in cybersecurity. The proposed rules specify that designation of a board member as having cybersecurity expertise would not increase the duties, liabilities, or obligations of that director or decrease those of any other directors.
Foreign Issuers. Under the proposed rules, cybersecurity incidents would be added as a reporting event that may trigger a Form 6-K for foreign private issuers. In addition, Annual Reports on Form 20-F would require foreign private issuers to report updates and include disclosures comparable to Items 106 and 407 of Regulation S-K under Item 16J.
What Companies Should Do to Prepare
In anticipation of SEC action to adopt final rules for cybersecurity disclosures, we recommend that companies take proactive steps to prepare. It can take months to update a comprehensive cybersecurity risk management program, especially if it requires changes to technology systems, updates to reporting structures, or addition of new personnel. Companies can and should take steps now to evaluate their cybersecurity policies, practices, and disclosures and to enhance their cybersecurity-related disclosures in proxy statements and Form 10-K filings, including enhancing their disclosures to include more details on board oversight of cybersecurity risks, the potential impacts of cybersecurity risks, and other information about cybersecurity risk management.
The following concrete actions can help companies prepare for the SEC’s potential cybersecurity disclosure rules:
Review Incident Response Plans. Companies should review Incident Response Plans and consider whether updates for processes or drafting and approving disclosures would be needed in order to comply with any new disclosure requirements, including on Form 8-K, and accounting for the possibility that the disclosure may be required within four business days of the date that the company determines that the incident is material.
Assess Disclosure Controls and Procedures. Companies should review their disclosure controls and procedures to ensure that they are designed to enable them to properly record, process, summarize, and report information required to be disclosed about cybersecurity risks and incidents under any new rules.
Review Risk Assessment Programs. Companies should review their risk assessment program to ensure it considers cybersecurity risks and is aligned with a recognized framework, such as the NIST Cybersecurity Framework. Companies may also consider consulting with third-party cybersecurity experts on general best practices.
Review Third Party Management Practices. Companies should review their vendor management policies and procedures and ensure cybersecurity is appropriately considered.
Assign Ownership over Cybersecurity. Companies should assess their cybersecurity reporting structures and oversight. They should also clearly assign cybersecurity oversight to a board committee and designate a chief information security officer (CISO), or someone in a comparable position who operates as part of the executive management team.
Brief the Board on Cybersecurity. Companies should ensure the full board, as well as the committee responsible for cybersecurity, is regularly briefed on cybersecurity risks and incidents. Companies should document board and board committee discussions about cybersecurity in meeting minutes. The CISO should also regularly report to the board or to the committee with cybersecurity oversight. Companies may also consider appointing a director with cybersecurity expertise and, if one is not appointed, document the methods by which the board obtains such expertise (e.g., through education, training, or briefings).
[1]Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 87 Fed. Reg. at 16596 (March 23, 2022) (quoting TSC Industries, Inc. v Northway, Inc., 426 U.S. 438, at 449 (1976)).
