SEC proposes sweeping new public company cybersecurity disclosure and governance rules
Cybersecurity risk governance and disclosure has been the subject of a number of recent cyber-focused proposals. As Congress considers imposing broad federal cyber incident notification requirements, the Securities and Exchange Commission (SEC), on March 9, 2022, voted 3-1 to issue proposed new rules that would require publicly traded companies to disclose “cybersecurity incidents” (defined below) in current reports on Form 8-K or Form 6-K for foreign private issuers within four business days of determining that an incident is material and, thereafter, correct prior disclosures when new or additional material information becomes available.
In addition, registrants would be required to include in quarterly and annual reports a list and updates of past incidents as well as extensive information regarding cybersecurity risk management, strategy, governance practices and board and management expertise.
This rule proposal follows on the heels of several SEC enforcement actions against public companies related to cybersecurity disclosures as well as SEC Chair Gary Gensler’s January 2022 speech previewing potential rules (discussed here) and the SEC’s February 2022 proposed new rules related to cybersecurity risk management for registered investment advisers, registered investment companies, and business development companies (discussed here).
The proposed rules would require companies to:
- Disclose, within 4 business days, material cybersecurity incidents on Form 8-K and correct such disclosure by filing an amended Form 8-K where the initial disclosure becomes inaccurate or materially misleading as a result of subsequent developments regarding the incident.
- Include disclosures in periodic filings regarding, among other things:
- A company’s policies and procedures to identify and manage cybersecurity risks
- Whether the company has engaged third-party service providers in connection with its risk assessment program
- Management’s role in implementing cybersecurity policies and procedures, including whether the company has a chief information security officer or other management positions responsible for managing cybersecurity risk, and the expertise of such persons;
- The board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk, including the processes by and frequency with which the board of directors is informed about cybersecurity risks and
- Updates about previously reported material cybersecurity incidents.
- Present cybersecurity disclosures in Inline eXtensible Business Reporting Language (Inline XBRL).
As proposed, there are no exemptions or phase-in periods for smaller reporting companies, emerging growth companies or foreign private issuers. The SEC will be accepting comments on the proposed rules for the longer of 60 days following publication of the proposing release on the SEC's website (which occurred on March 9, 2022) or 30 days following publication of the proposing release in the Federal Register.
Background and current requirements
Under SEC Chair Gensler, cybersecurity has become an increasingly important focus area within the SEC, both through enforcement actions and proposed rulemaking.
In 2011, the Division of Corporate Finance issued interpretive guidance (the 2011 Guidance) to public companies regarding the Staff’s view on public companies’ existing disclosure obligations relating to cybersecurity risks and incidents. In 2018, the Commission issued interpretive guidance (the 2018 Guidance) to reinforce and expand upon the 2011 Guidance, identifying several areas of potential disclosures in a company’s SEC filings with respect to cybersecurity risks and incidents, such as the Risk Factors, Management's Discussion and Analysis of Financial Condition and Results of Operations (MD&A), Description of Business, Legal Proceedings, Financial Statements and Subsequent Events, and Disclosure Controls and Procedures and Certifications sections in ongoing periodic filings and proxy statements.
The 2018 Guidance further made clear that while Form 8-K did not include any specific requirements to disclose cybersecurity incidents, voluntary disclosure may be advisable if a company determines that the incident is material or if disclosure becomes necessary under Regulation FD.
While the SEC’s regulations did not explicitly address cybersecurity, the 2011 Guidance and 2018 Guidance encouraged companies to use the existing disclosure framework and requirements to determine whether a cyber-related incident is material and should result in public disclosure, balancing the potential materiality of any incident or risk with the importance of not compromising the company’s ongoing cybersecurity efforts. The 2018 Guidance also emphasized the importance of disclosure controls and procedures that enable the company to appropriately record, process, summarize and report to investors material information related to cybersecurity risks and incidents.
In proposing the new rules, the SEC recognized that disclosures by public companies of material cybersecurity incidents and cybersecurity risk management and governance have improved since the issuance of the 2011 Guidance and 2018 Guidance but expressed concern that the nature of cybersecurity incident disclosure varies widely and current reporting may contain insufficient detail. In the proposing release, the SEC reminded public companies that the 2011 and 2018 Guidance would remain in place if the SEC adopts these new rules.
The proposed rules
Definition of “cybersecurity incidents”
The proposed rules define a cybersecurity incident as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.” The SEC notes that what constitutes a cybersecurity incident should be construed broadly and would include third-party systems, not just company-owned systems. The proposed rules also include a non-exclusive list of examples of cybersecurity incidents, including an accidental exposure of data, a deliberate action or activity to gain unauthorized access to systems or to steal or alter data, a ransom demand or other demand by a malicious actor who has stolen or altered data, or other system compromises or data breaches.
Evaluation of the materiality of cybersecurity incidents
The proposed rules do not define materiality. Rather, they refer to the definition set out in numerous securities laws cases, including TSC Industries, Inc. v. Northway, Inc., which defines information as material if “there is a substantial likelihood that a reasonable shareholder would consider it important” or if it would have “significantly altered the ‘total mix’ of information made available.”
The SEC further notes that analysis of a cybersecurity incident’s materiality would need to include both quantitative and qualitative factors, such that even if the probability of an adverse consequence is relatively low, if the magnitude of loss or liability is high, the incident may still be considered material. A company’s materiality analysis will require a careful assessment of whether the incident is “material in light of the specific circumstances presented by applying a well-reasoned, objective approach from a reasonable investor’s perspective based on the total mix of information.” [Proposing Release at 23-24]
Reporting cyber incidents on Form 8-K
The proposed rules would amend Form 8-K to add Item 1.05 to require public companies to disclose information about a material cybersecurity incident within four business days after the company determines that the incident is material. The SEC would require companies to disclose the following information to the extent known at the time of filing:
- When the incident was discovered and whether it is ongoing
- A brief description of the nature and scope of the incident
- Whether any data was stolen, altered, accessed or used for any other unauthorized purpose
- The effect of the incident on the company’s operations and
- Whether the company is currently remediating the incident.
Under Instruction 1 to the proposed new Item 1.05, companies would be required to make a materiality determination “as soon as reasonably practicable after discovery of the incident.” Similar amendments are proposed to Form 6-K to add “cybersecurity incidents” as a reporting topic for foreign private issuers. Of course, four business days after this materiality determination, a company’s investigation may still be ongoing, and the proposed rules specifically would not allow for any delay pending such investigations. While disclosure would only be required to the extent the information is known at the time of filing, companies in this situation may have to make challenging disclosure decisions in light of incomplete – that is, only partially known – information.
While the SEC notes that the Staff of the Division of Corporation Finance (the Staff) would not expect a company to publicly disclose specific, technical information about its planned response to an incident or a potential system vulnerabilities in such detail as would impede the company’s response or remediation of an incident, the absence of any grace period for completing an investigation and the requirement to disclose the nature of incident, if it is ongoing, and if it is (still) being remediated may attract malicious actors.
As proposed, the rules would require US public companies to file rather than furnish an Item 1.05 Form 8-K disclosure, making those companies subject to liability under Section 18 of the Securities Exchange Act of 1934 for materially false or misleading statements or omissions in disclosures regarding cybersecurity incidents. Untimely filing under new Item 1.05 of Form 8-K would not, however, result in a loss of Form S-3 or Form SF-3 eligibility.
Further, the SEC noted that there may be situations where an amended Form 8-K would need to be filed, including where a company becomes aware of subsequent developments regarding a cyber incident that has been reported on Form 8-K such that the previous disclosure has become inaccurate or materially misleading.
The proposed 4-business day material cybersecurity incident reporting trigger will require companies to have in place protocols and controls for prompt escalation and assessment of cybersecurity incidents.
Updating disclosures about cybersecurity incidents in periodic reports
The proposed rules also would amend Forms 10-K and 10-Q (and provide for similar amendments to Form 20-F for foreign private issuers) to require updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.
New Item 106(d) of Regulation S-K would require public companies to provide updates in periodic reports about previously reported cybersecurity incidents. A non-exclusive list of required types of disclosures suggested by the SEC includes:
- Any material impact of the incident on the company’s operations and financial condition including any potential material future impacts
- Whether the company has remediated or is currently remediating the incident and
- Any changes in the company’s policies and procedures as a result of the cybersecurity incident.
Disclosure of risk management, strategy and governance regarding cybersecurity risks
In addition to incident reporting, the proposed rules also would require enhanced and standardized disclosure of public companies’ cybersecurity risk management, strategy and governance. New Item 106 of Regulation S-K would require the following disclosures in companies’ periodic reports on Forms 10-K and 10-Q:
- A description of the company’s policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the company considers cybersecurity as part of its business strategy, financial planning and capital allocation.
- Disclosure of whether the company engages assessors, consultants or other third parties in connection with any cybersecurity risk assessment program and any policies and procedures to oversee and identify cybersecurity risks associated with its use of any third-party service providers.
- Disclosure about the company’s cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risk, the processes by which the board is informed about cybersecurity risks and the frequency of its discussions on the topic.
- Disclosure about management’s role, and relevant expertise, in assessing and managing cybersecurity related risks and implementing related policies, procedures and strategies, including whether the company has a chief information security officer or other management positions responsible for managing cybersecurity risk, and the relevant expertise of such persons, as well as the processes by which such persons are informed about and monitor cybersecurity risks and incidents and whether and how frequently such persons report to the board of directors on cybersecurity risks and incidents.
As proposed, a company that has not established any cybersecurity policies or procedures would not have to explicitly state that this is the case.
Disclosure regarding the board of directors’ cybersecurity expertise
The proposed rules also would amend Item 407 of Regulation S-K to require disclosure in certain annual reports or proxy statements if any member of the board of directors has cybersecurity expertise and include enough detail “as necessary to fully describe the nature of the expertise,” which is a higher threshold than currently exists for other experience-related disclosures, such as the requirement to name an “audit committee financial expert.”
While the rules do not define what would constitute “cybersecurity expertise,” an instruction to the proposed rules provides guidance that “expertise” would include prior work experience in cybersecurity, any relevant degrees or certifications, and any other knowledge, skills or background in cybersecurity.
The rules as proposed also include a safe harbor for any person who is designated as having cybersecurity expertise and would not impose additional duties, obligations or liability on such persons, including for purposes of Section 11 of the Securities Act of 1933. Companies are not required to have a board member with cybersecurity expertise and If a company does not have a person with cybersecurity expertise on its board of directors, it would not be required to make an explicit statement that this is the case.
Inline XBRL for cybersecurity disclosures
To better inform investors about cybersecurity incidents and a company’s risk management, strategy and governance surrounding cybersecurity, the proposed rules also would require companies to tag the information required to be disclosed under Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K in Inline XBRL. This would include block text tagging of the narrative disclosures as well as tagging of quantitative amounts disclosed.
Commissioners’ statements on the proposed rules
Multiple SEC commissioners have provided formal statements on the proposed rules, both in support of, and against, the proposal. SEC Chair Gensler supports the proposed rules and amendments, stating that, if adopted, the proposed rules wouldprovide benefits to companies and investors by requiring cybersecurity risks and incidents to be disclosed “in a consistent, comparable and decision-useful manner” which would “strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting." Similarly, Commissioner Caroline A. Crenshaw issued a statement supporting the proposed rules, citing concerns that “disclosures relating to cyber-security incidents are inconsistent in level of detail, time of disclosure, and placement” and stating that she was in support of the proposed rules as “an important step forward in addressing this growing and ever-present risk.”
In contrast, Commissioner Hester M. Peirce dissented, voicing concern about regulatory overreach and stated that the proposed rules casts the SEC as “the nation’s cybersecurity command center, a role Congress did not give” the SEC. Commissioner Peirce took issue with the “unprecedented micromanagement” of public companies embodied in the governance disclosure requirements and stated her view that this type of corporate decision-making “should be left to business – not SEC – judgment.” Commissioner Peirce also noted that the level of detail and prescriptive nature of the disclosures enumerated in the new disclosure requirements “look more like a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate.” She is concerned that the rules “will have the undeniable effect of incentivizing companies to take specific actions to avoid appearing as if they do not take cybersecurity as seriously as other companies.”
While the proposed rules may ultimately change, and as noted above, the SEC commissioners are not unified in their views, if the rules were to go into effect as proposed, there would be a number of potentially significant implications for public companies, including:
- Prompt materiality assessments will become essential. As proposed, companies would need to begin assessing materiality “as soon as reasonably practicable after discovery of the incident” and would need to disclose the incident within four business days of determining that the incident has become material. In practice, this would require companies to have robust internal controls and procedures to ensure that these materiality determinations are timely made, properly documented, and then revisited throughout the duration and investigation of an incident. For large companies that may be subjected to frequent and persistent cyberattacks, this process of assessing materiality, both on an individual incident basis and in the aggregate, could become a significant exercise. Moreover, in practice, the full scope and potential materiality of a cyber incident is often not known at the time a company first becomes aware of the issue and what may seem like a material incident in hindsight may not be so apparent in real time as a situation develops. As the SEC has shown in recent enforcement actions, a failure to make fulsome and timely disclosures also may be viewed as a deficiency in internal controls, making the process by which companies assess materiality and document such determination of critical importance.
- Companies should expect to balance differing regulatory and law enforcement requirements. The SEC proposes to mandate disclosure of material cybersecurity incidents in 4 business days. State cybersecurity requirements are different. Similarly, the content of proposed SEC and state law disclosures will likely differ. Further, the timing and content of public disclosure might impact ongoing law enforcement investigations or efforts to recover stolen funds or to detect wrongdoers or threat actions. The proposed SEC rules will add yet another layer to the already complex balancing act companies face when addressing material cybersecurity incidents.
- With cybersecurity incidents, the SEC proposes to create an explicit, affirmative duty to update. The proposed rules create two paths that might require updating disclosure. First, the rules would create an affirmative duty to update previously disclosed cybersecurity incident disclosures in future periodic reports.In addition, by creating a Form 8-K disclosure obligation upon determination of materiality, the rules would compel companies to include public disclosure of incidents at a time when the incident may still be developing or under investigation. The SEC noted in a footnote to the proposed rules that waiting until the next periodic report to update prior disclosures may not be sufficient. For example, the SEC noted that if the impact of an incident is determined to be “significantly more severe than previously disclosed” an amended Form 8-K may be required even before an update on the incident is due in the next periodic report. Companies would therefore need to assess not just what updates might be required in future periodic reports but also whether the nature of those updates gives rise to an interim Form 8-K disclosure obligation.
- Cybersecurity expertise will become a board imperative. While the proposed rules do not mandate that boards have cybersecurity expertise, by requiring disclosure of the names of directors with that experience, as well as detail regarding how that determination was made, the proposed rules may effectively prompt public companies to seek out directors with a greater degree of cybersecurity knowledge. By highlighting a board’s knowledge on cybersecurity, the proposed rules may potentially expose companies without board members that have that depth of specific knowledge to greater risk of investor activism, shareholder advisory criticism and potentially shareholder litigation in the event of a material cybersecurity incident. As more and more companies disclose detailed board cybersecurity expertise, companies lacking such expertise may face increased challenges that they are not acting with reasonable care.
- The SEC would be expanding the use of disclosure regime to influence operational decisions. In addition to director expertise disclosure, the proposed rules would also require disclosure of whether a company has a chief information security officer, including his or her expertise and authority within the organization, and detailed information regarding a board’s and management’s role in implementing and discussing cybersecurity. By requiring such specific and expansive disclosure which will likely have the impact of leading companies to make personnel decisions related to that disclosure, the SEC’s rule proposal has the effect of using disclosure rules to expand its influence into what has historically been a topic of ordinary course business operations and judgment.
- Additional policies, procedures and internal controls would be required. Cybersecurity disclosure controls and procedures have been a key area of focus by the SEC, and the various disclosure requirements in the proposed rules would increase the need to develop and assess the effectiveness of such controls. The proposed rules reinforce the SEC’s expectation set forth in its 2018 Guidance that a company’s financial reporting and control systems must be designed to provide reasonable assurance that information about the range and magnitude of cybersecurity incidents will be incorporated in its financial statements on a timely basis as information becomes available. Companies looking to fully comply with the proposed rules (if adopted), would need to thoroughly consider how they create appropriate disclosure controls and procedures to comply with the rules, how they document those controls and procedures, and how they assess their effectiveness.
- Companies would need to consider risks associated with third-party service providers. The SEC’s proposed definition of a company’s “information systems” includes “information resources owned or used by the registrant.” As proposed, there would be no safe harbor for information about cybersecurity incidents affecting third-party information resources that are used but not owned by a public company. In addition, the proposed rules would require disclosure concerning a company’s selection and oversight of third-party entities. If adopted, the proposed rules would likely create a greater focus on a company’s selection processes and controls related to third parties, including controls designed to ensure timely and fulsome disclosure of third-party originated incidents so that companies can adequately comply with their own disclosure obligations.
The proposal contains several groups of questions on which the SEC has requested comment. The public comment period for the proposed rules will be open for 60 days following publication of the release on the SEC’s website, or 30 days following the publication of the proposing release in the Federal Register (whichever period is longer). As of the date of this alert, the proposed rules have not yet been published in the Federal Register.
Public companies and other market participants should also expect more rules related to cybersecurity. In his statement on the proposed rules, Chair Gensler commented that this is the third rulemaking project the SEC has proposed on cybersecurity, and that he had asked the SEC staff to make recommendations for the SEC’s consideration with respect to broker-dealers, Regulation Systems Compliance and Integrity and Regulation S-P (related to customer notices).
For more information, please contact the authors of this article or your DLA Piper relationship attorney.