[co-author: Gregory Wiessner]
On March 9, 2022, the SEC proposed rules, by a 3-1 vote, that are intended to enhance disclosures about cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed rules are premised on the idea that “investors would benefit from greater availability and comparability of disclosure by public companies across industries regarding their cybersecurity risk management, strategy, and governance practices in order to better assess whether and how companies are managing cybersecurity risks.” If adopted as proposed, the rules will dramatically impact the way public companies, boards, and management disclose cyber incidents and matters relating to their cybersecurity oversight (including board and management expertise). The proposed rules represent a significant expansion of the current guidance, which dates back to 2011 and 2018 (see our prior post), and if adopted as released, will likely lead to operational and governance changes for many businesses.
The Proposed Rules
The proposal addresses the perceived need for enhanced cybersecurity disclosures in several ways, including through new current reporting and periodic reporting obligations. Specifically, the rule proposal adds a new Item 1.05 to Form 8-K and makes a number of amendments to Forms 10-K and 10-Q, particularly through proposed amendments to Regulation S-K Item 407 and the addition of new Regulation S-K Item 106.
Current Reporting. A new item would be added to Form 8-K requiring companies to disclose information within four business days after the company determines that it has experienced a material cybersecurity incident. More specifically, new Item 1.05 of Form 8-K would require disclosure regarding:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the company’s operations; and
- Whether the incident has been remediated or the company is currently remediating the incident.
The proposing release acknowledges that the SEC does not expect “a registrant to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”
“Materiality” for purposes of the proposed cybersecurity incidents disclosure will follow the definition of materiality under securities law (i.e., material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available”). Materiality determinations must be made “as soon as reasonably practicable after discovery of the incident.” The SEC is seeking comment about whether the date of the “discovery” of the incident should trigger the new Form 8-K obligation, as opposed to the date the company determines that it is a material event.
Notably, proposed Item 1.05 will be included within the Form S-3 safe harbor.
Updated Reporting. Forms 10-Q and 10-K would include updated incident disclosure under new Item 106(d) of Regulation S-K that describes material changes, additions, or updates regarding previously provided disclosure under Item 1.05 of Form 8-K. Such updates should include material effects and any potential material future impacts of the incident on the company’s operations and financial condition, whether the company has remediated or is currently remediating the incident, and any changes in the company’s policies and procedures as a result of the cybersecurity incident, including how such incident may have informed those changes.
Additionally, the company would need to monitor and provide disclosure when a sequence of previously undisclosed and individually immaterial cybersecurity incidents, in aggregate, has become material. Such disclosure would include (i) when the incidents were discovered and whether they are ongoing; (ii) a brief description of the nature and scope of such incidents; (iii) whether any data was stolen or altered; (iv) the impact of such incidents on the company’s operations; and (v) whether the company has remediated or is currently remediating the incidents.
Governance and Oversight. Among other periodic disclosures, the proposed rules further the SEC’s aim to improve disclosure about board oversight of cybersecurity. New Item 106 of Regulation S-K would also require several specific disclosures regarding (i) policies and procedures, if any, for identifying and managing cybersecurity risks and (ii) the company’s cybersecurity governance, including (A) the board of directors’ role in oversight of cybersecurity risks and (B) management’s role in assessing and managing cybersecurity-related risks and implementing the company’s cybersecurity policies, procedures, and strategies. These disclosures would be provided in new Part I, Item 1.C of Form 10-K.
The proposed rule provides that disclosure regarding a company’s cybersecurity policies and procedures should include:
- Whether the company has a cybersecurity risk assessment program and a description thereof if applicable;
- Whether the company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
- Whether the company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third party service provider;
- Any activities undertaken to prevent, detect or minimize the effects of cybersecurity incidents;
- Whether the company has business continuity, contingency and recovery plans in the event of a cybersecurity incident;
- Whether previous cybersecurity incidents informed changes to the company’s governance, policies and procedures or technologies, or affected the company’s strategy, business model, results of operations or financial condition; and
- Whether cybersecurity risks are considered part of the company’s business strategy, financial planning and capital allocation.
Proposed disclosures with respect to board oversight include the following:
- Whether the entire board, specific directors or a particular committee is responsible for oversight of cybersecurity risks;
- The process by which the board is informed about cybersecurity risks (and the frequency of the discussions); and
- Whether and how the board or committee discusses cybersecurity risk as part of its business strategy, risk management, and financial oversight.
Proposed disclosures regarding management’s role include the following:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk;
- Whether the company has a designated chief information security officer or someone in a comparable position, to whom such person reports, and the relevant expertise of such person “in such detail as necessary to fully describe the nature of the expertise”;
- The processes by which such persons or committees are informed about and monitor for the prevention, mitigation, detection and remediation of cybersecurity incidents; and
- Whether and how frequently such persons or committees report to the board or a committee of the board on cybersecurity risk.
Disclosure of Cybersecurity Expert. Amended Item 407 would require disclosure of whether any member of the company’s board has expertise in cybersecurity and, if so, the nature of such expertise. Unlike in the context of an “audit committee financial expert,” the rule does not mandate the criteria for determining cybersecurity expertise, though it does provide a non-exclusive list of criteria that companies should consider in this regard. The proposed rule also makes clear that such identified persons will not be considered an “expert” for Section 11 purposes.
XBRL Tagging will be Required. To enable more large scale analysis of the new data being disclosed, the SEC is proposing that all forms will require inline XBRL tagging of the new disclosures described above.
- The SEC will need to clarify several key issues in the proposing release, including whether the clock for Form 8-K reporting should start at discovery of an incident or determination that the incident was material.
- Given that companies will also need to regularly disclose policies and procedures, to the extent that they have them, for identifying and managing cybersecurity risks, there will have to be careful consideration of the level at which disclosure can be made without jeopardizing the security programs themselves. While most public companies will already have strong and iterative internal and external audit and improvement programs, understanding the status of each policy and procedure and where vulnerabilities may arise will help with planning to meet the SEC’s requirements. Additionally, the contemplated disclosures could be of particular interest to plaintiffs exercising a renewed focus on directors’ duty of oversight, and companies may want to evaluate proposed disclosures through that lens.
- Companies will be required to put forth new disclosure regarding the board’s expertise in cybersecurity, which could prompt a renewed recruiting focus on director candidates with such expertise.
- There will be increased scrutiny of Chief Information Officers and Chief Information Security Officers and their reporting lines.
- Adoption of the proposed rules may result in the SEC taking an expanded role in determining the adequacy of companies’ internal incident reporting procedures, data security mechanisms, and cybersecurity management.
The public comment period will remain open for 60 days following publication of the proposing release on the SEC’s website, which occurred on March 9, 2022, or 30 days following publication of the proposing release in the Federal Register, whichever period is longer. As a result, pending the Federal Register publication date, the comment period will run through at least May 9, 2022.
In the meantime, public companies may want to begin reviewing their existing policies and procedures regarding cybersecurity risk as well their internal reporting and oversight structure. To the extent that changes in cybersecurity oversight are effected ahead of the adoption of any final rules, companies should consider whether they need to make any conforming updates to their upcoming proxy statement disclosures.