SEC Issues Proposed Rules on Disclosure of Cybersecurity Incidents

Stinson - Corporate & Securities Law Blog
Contact

Stinson - Corporate & Securities Law Blog

The SEC has issued proposed rules on disclosure of cybersecurity incidents.  Specifically, the SEC is proposing to:

  • Amend Form 8-K to add Item 1.05 to require registrants to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident;
  • Amend Forms 10-Q and 10-K to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents, as specified in proposed Item 106(d) of Regulation S-K. We also propose to amend these forms to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate;
  • Amend Form 10-K to require disclosure specified in proposed Item 106 regarding:
    • A registrant’s policies and procedures, if any, for identifying and managing cybersecurity risks;
    • A registrant’s cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks; and
    • Management’s role, and relevant expertise, in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies.
  • Amend Item 407 of Regulation S-K to require disclosure about if any member of the registrant’s board of directors has cybersecurity expertise.
  • Amend Item 407 of Regulation S-K to require disclosure about if any member of the registrant’s board of directors has cybersecurity expertise.
  • Require that the proposed disclosures be provided in Inline XBRL.

Form 8-K Reporting

New Item 1.05 of Form 8-K will require a registrant to disclose the following information about a material cybersecurity incident, to the extent the information is known at the time of the Form 8-K filing:

  • When the incident was discovered and whether it is ongoing;
  • A brief description of the nature and scope of the incident;
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • The effect of the incident on the registrant’s operations; and
  • Whether the registrant has remediated or is currently remediating the incident.

The SEC is proposing to amend General Instruction I.A.3.(b) of Form S-3 and General Instruction I.A.2 of Form SF-3 to provide that an untimely filing on Form 8-K regarding new Item 1.05 would not result in loss of Form S-3 or Form SF-3 eligibility.

The SEC is also proposing to amend Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act. In 2004, when the Commission adopted the limited safe harbor, the Commission noted its view that the safe harbor is appropriate if the triggering event for the Form 8-K requires management to make a rapid materiality determination.

Disclosure about Cybersecurity Incidents in Periodic Reports

Proposed Item 106(d)(1) of Regulation S-K would require registrants to disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K in the registrant’s quarterly report filed with the Commission on Form 10-Q or annual report filed with the Commission on Form 10-K for the period (the registrant’s fourth fiscal quarter in the case of an annual report) in which the material change, addition, or update occurred.

In order to assist registrants in developing updated incident disclosure in its periodic reports, proposed Item 106(d)(1) provides the following non-exclusive examples of the type of disclosure that should be provided, if applicable:

  • Any material impact of the incident on the registrant’s operations and financial condition;
  • Any potential material future impacts on the registrant’s operations and financial condition;
  • Whether the registrant has remediated or is currently remediating the incident; and
  • Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.

Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks

Risk Management and Strategy

Proposed Item 106(b) would require registrants to disclose its policies and procedures, if it has any, to identify and manage cybersecurity risks and threats, including: operational risk; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk.

Specifically, proposed Item 106(b) of Regulation S-K would require disclosure, as applicable, of whether:

  • The registrant has a cybersecurity risk assessment program and if so, provide a description of such program;
  • The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
  • The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
  • The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
  • The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
  • Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;
  • Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and
  • Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how.

Governance

Proposed Item 106(c) would require disclosure of a registrant’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

Specifically, as it pertains to the board’s oversight of cybersecurity risk, disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following:

  • Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
  • The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
  • Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

Proposed Item 106(c)(2) would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures, and strategies. This description would include, but not be limited to, the following information:

  • Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
  • Whether the registrant has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons;
  • The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
  • Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.

Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

The SEC proposes to amend Item 407 of Regulation S-K by adding paragraph (j) to require disclosure about the cybersecurity expertise of members of the board of directors of the registrant, if any. If any member of the board has cybersecurity expertise, the registrant would have to disclose the name(s) of any such director(s), and provide such detail as necessary to fully describe the nature of the expertise. The proposed Item 407(j) disclosure would be required in a registrant’s proxy or information statement when action is to be taken with respect to the election of directors, and in its Form 10-K.

Proposed Item 407(j) would not define what constitutes “cybersecurity expertise,” given that such expertise may cover different experiences, skills, and tasks. Proposed Item 407(j)(1)(ii) does, however, include the following non-exclusive list of criteria that a registrant should consider in reaching a determination on whether a director has expertise in cybersecurity:

  • Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
  • Whether the director has obtained a certification or degree in cybersecurity; and
  • Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.

Proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act, as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407(j). This proposed safe harbor is intended to clarify that Item 407(j) would not impose on such person any duties, obligations, or liability that are greater than the duties, obligations, and liability imposed on such person as a member of the board of directors in the absence of such designation or identification.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stinson - Corporate & Securities Law Blog | Attorney Advertising

Written by:

Stinson - Corporate & Securities Law Blog
Contact
more
less

Stinson - Corporate & Securities Law Blog on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.