On March 9, the Securities and Exchange Commission (SEC) proposed rules and amendments to enhance and standardize public companies’ disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting.

Specifically, the proposal would do the following:

• Amend Form 8-K to add Item 1.05 to require companies to disclose information about a material cybersecurity incident within four business days after determining that such an incident has occurred.
• Amend Forms 10-Q and 10-K to require companies to provide updated disclosure relating to previously disclosed cybersecurity incidents.
• Amend Forms 10-Q and 10-K to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents have become material in the aggregate.
• Amend Item 407 of Regulation S-K to require disclosure about whether any member of the company’s board of directors has cybersecurity expertise and, if so, the nature of such expertise.
• Amend Form 10-K to require disclosure specified in proposed Item 106 regarding:
  • A company’s policies and procedures, if any, for identifying and managing cybersecurity risks.
  • A company’s cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks.
  • Management’s role, and relevant expertise, in assessing and managing cybersecurity-related risks and implementing related policies, procedures, and strategies.

Updated Current Report Requirements

As noted above, disclosure on Form 8-K would be required within four business days after a company determines that it has experienced a material cybersecurity incident rather than the date of discovery of an incident. Instruction 1 to proposed Item 1.05 of Form 8-K provides that “a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.”

The adopting release clarifies that the term “cybersecurity incident” is “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The release details various examples that may constitute a cybersecurity incident, including an incident stemming from the accidental exposure of data or a deliberate attack to steal or alter data, or an incident where a malicious actor has offered to sell or disclose sensitive company data or held such data for ransom. As proposed, the rules rely on a customary materiality standard; however, the SEC is seeking feedback on whether there should be a quantifiable threshold for what must be reported under Item 1.05.

A company would be required to disclose the following information about a material cybersecurity incident, to the extent known at the time of the filing:

1. When the incident was discovered and whether it is ongoing.
2. A brief description of the nature and scope of the incident.
3. Whether any data was stolen, altered, accessed or used for any other unauthorized purpose.
4. The effect of the incident on the company’s operations.
5. Whether the company has remedied or is currently remedying the incident (provided that the company’s planned response to the incident is not required to be disclosed).

In addition, the proposed rules would amend Form S-3 to provide that the untimely filing of a Form 8-K under Item 1.05 would not result in loss of eligibility for use of that form of registration statement.

Updated Periodic Report Requirements

The SEC’s prior 2011 and 2018 interpretive guidance was issued to assist companies in determining when they may be required to disclose information regarding cybersecurity risks and incidents under existing disclosure rules and primarily focused on disclosure relating to the company’s business and operations, risk factors, legal proceedings, corporate governance, MD&A and controls and procedures.

While the proposed rules specify that the 2011 and 2018 guidance would remain in place if the proposed rule amendments are adopted, the newly proposed amendments would expand such disclosure considerations in a company’s periodic and current reports as summarized herein.

Among other things, new Item 106(b) of Regulation S-K would require a company to provide information about its cybersecurity policies and risks, including whether a company has a cybersecurity risk assessment program and undertakes activities designed to prevent, detect, and minimize the effects of cybersecurity incidents that can improve an investor’s understanding of the company’s cybersecurity risk profile, as well as disclosure regarding a company’s selection and oversight of any third-party service providers. The new rule would also require disclosure of previous incidents that have affected or are reasonably likely to affect the company’s business.

New Item 106(c) would elicit information regarding the board’s oversight of cybersecurity risks, including whether the board or a committee thereof is responsible for risk oversight; processes pursuant to which the board is informed of cybersecurity risks; and how cybersecurity risks play into the company’s business strategy, risk management and financial oversight.

To assist companies in providing updated incident disclosure within periodic reports, the proposed rules provide the following non-exclusive examples of the type of disclosure that should be provided under new Item 106(d)(1) of Regulation S-K:

• Any material impact of the incident on the company’s operations and financial condition.
• Any potential material future impacts on the company’s operations and financial condition.
• Whether the company has remediated or is currently remediating the incident.
• Any changes in the company’s policies and procedures resulting from the cybersecurity incident and how the incident may have informed such changes.

New Item 106(d)(2) would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. Therefore, companies would need to analyze related cybersecurity incidents for materiality, both individually and in the aggregate.

Key Takeaways for Public Companies

Although cybersecurity risks and disclosures are nothing new for public company boards of directors, the SEC’s proposal marks a dramatic shift in disclosing such events, especially the Form 8-K notification requirement and duty to disclose cybersecurity expertise and oversight by the board. In light of the potential future impact on disclosures, we recommend providing director education related to these proposals to the board and/or board committee primarily responsible for oversight of cybersecurity risks.

Additionally, companies should consider how these proposals may impact their existing cybersecurity policies, procedures and protocols. In addition, given the proposed Form 8-K requirement, companies should confirm that they have adequate processes in place to promptly make a materiality determination and file any required Form 8-K within the four-business-day deadline.

Comments on the proposed rules are due 30 days after the date of their publication in the Federal Register, or May 9, 2022, whichever is later.