SEC Proposes Cybersecurity Disclosure Rules for Public Companies

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed amendments to its rules to require disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.[1]

If adopted after a 60-day comment period following publication in the Federal Register, the proposed amendments would require:

• Current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents, as well as disclosure of individually immaterial cybersecurity incidents that become material in the aggregate;
• Periodic reporting about:
  
  • A company’s policies and procedures to identify and manage cybersecurity risks;
  • Oversight of cybersecurity risk by the board of directors; and
  • Management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures; and
• Annual reporting about the board of directors’ cybersecurity expertise, if any.

Key Takeaways for Public Companies

If the SEC’s rules are adopted as proposed, public companies would need to:

• Ensure that incident response policies and procedures provide a clear path to escalate incidents to corporate leadership and/or a disclosure committee, and that disclosure controls and procedures are in place to discern the impact that an incident may have on the company;
• Undertake a materiality assessment as soon as practicable after learning of the incident;
• Report material cybersecurity incidents, including any impact on business operations, on a Form 8-K within four business days of their determination that the incident is material;
• Update their Form 10-Qs and 10-Ks with information regarding material cybersecurity incidents previously reported via Form 8-K, and immaterial cybersecurity incidents that, in the aggregate, have been determined to be material, including the impact of these incidents on the company’s business operations and financial condition;
• Disclose periodically their cybersecurity risk management governance, strategy, and policies and procedures, including delineating who is responsible for cybersecurity governance and ensuring that such programs are tailored to known risks and reassessed periodically; and
• Specify the cybersecurity expertise of their boards of directors.

Background

For over a decade, the SEC and its staff have been focused on disclosures that public companies make about cybersecurity risks.

On October 13, 2011, the SEC’s Division of Corporation Finance issued disclosure guidance to assist public companies “in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.”[2] CF Disclosure Guidance Topic No. 2 reviewed the applicability of existing SEC disclosure requirements to cybersecurity concerns, noting that: (i) businesses increasingly focus or rely on internet communications and remote data storage; (ii) risks and potential costs associated with cyber attacks and inadequate cyber security are increasing; and (iii) as with other operational and financial risks and events, companies should, on an ongoing basis, review the adequacy of disclosure relating to cybersecurity risks and other cyber incidents.

On February 20, 2018, the SEC issued interpretive guidance, which noted that public companies should take all required actions “to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”[3] The SEC noted in this guidance the importance of disclosure controls and procedures “that provide an appropriate method of discerning the impact that such matters may have on the issuer and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.” In addition, the 2018 Interpretive Release noted that “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.” The SEC indicated that companies should have policies and procedures in place to: (i) guard against directors, officers, and other corporate insiders taking advantage of the period between the issuer’s discovery of a cybersecurity incident and public disclosure of the incident to trade based on material nonpublic information about the incident; and (ii) help ensure that the issuer makes timely disclosure of any related material nonpublic information.

Over the past decade, the SEC has also brought numerous enforcement actions against public companies that experienced material cybersecurity incidents, alleging that the companies failed to adequately disclose such incidents and/or failed to have appropriate disclosure controls and procedures in place to facilitate the timely disclosure of material cybersecurity incidents. The SEC has also brought insider trading actions against individuals who traded in a company’s securities while in possession of material nonpublic information regarding a material cybersecurity incident.

The SEC has now proposed rule amendments that it believes will standardize and enhance disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies, which “are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”

Current Reporting of Cybersecurity Incidents on Form 8-K

Based on a growing concern that “material cybersecurity incidents are underreported and that existing reporting may not be sufficiently timely,” the SEC proposes to require that companies disclose material cybersecurity incidents in a Current Report on Form 8-K within four business days after the company determines that it has experienced a material cybersecurity incident.

The SEC proposes to amend Form 8-K by adding new Item 1.05, which would require a company to disclose the following information about a material cybersecurity incident, to the extent the information is known when the company files the Form 8-K:

• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the company’s operations; and
• Whether the company has remediated or is currently remediating the incident.

In the Proposing Release, the SEC notes that while companies would be required to provide disclosure responsive to the enumerated items to the extent known at the time of filing of the Item 1.05 Form 8-K, the SEC “would not expect a registrant to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”

The SEC notes that the proposed trigger for an Item 1.05 Form 8-K is the date on which a company determines that a cybersecurity incident it has experienced is material, rather than the date of discovery of the incident. The SEC indicates that, in some cases, the date of the company’s materiality determination could coincide with the date of discovery of the cybersecurity incident, while in other situations the materiality determination could occur after the discovery date. In order to address the concern that some companies may delay making such a determination to avoid triggering a disclosure obligation, Instruction 1 to proposed Item 1.05 states: “a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.”

The SEC also notes that what constitutes “materiality” for purposes of this disclosure item would be consistent with the established principles of materiality articulated in numerous court decisions.[4] In this regard, information is considered material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the “total mix” of information made available. The Proposing Release states:

A materiality analysis is not a mechanical exercise, nor should it be based solely on a quantitative analysis of a cybersecurity incident. Rather, registrants would need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material. Even if the probability of an adverse consequence is relatively low, if the magnitude of the loss or liability is high, the incident may still be material; materiality ‘depends on the significance the reasonable investor would place on’ the information.

The SEC indicates that, under the proposed rules, when a cybersecurity incident occurs, companies would need to “carefully assess whether the incident is material in light of the specific circumstances presented by applying a well-reasoned, objective approach from a reasonable investor’s perspective based on the total mix of information.”

The SEC provides a non-exclusive list of examples of cybersecurity incidents that may, if determined by the company to be material, trigger the disclosure requirement in proposed Item 1.05 on Form 8-K:

• An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network), or violated the company’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
• An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
• An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the company;
• An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
• An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

The SEC notes that proposed Item 1.05 would not provide for a delay in filing the required Form 8-K when there is an ongoing internal or external investigation related to the cybersecurity incident. Consistent with the guidance that the SEC provided in the 2018 Interpretive Release, the SEC is of the view that while an ongoing investigation might affect the specifics of the disclosure that is provided, the ongoing internal or external investigation is not, on its own, a basis to avoid disclosure of a material cybersecurity incident. The SEC continues to recognize that a delay in reporting may facilitate law enforcement investigations aimed at apprehending the perpetrators of the cybersecurity incident and preventing future cybersecurity incidents, but, on balance, the SEC believes that that the importance of timely disclosure of cybersecurity incidents for investors justifies not providing for a reporting delay.

The SEC also observes that a company may have obligations to report incidents at the state or federal level, which are distinct from the company’s obligations to disclose material information under the federal securities laws. As a result, there is a possibility that a company would be required to disclose a cybersecurity incident pursuant to Item 1.05 of Form 8-K, even when the company could delay reporting the incident under other applicable laws.

Recognizing the difficult materiality judgments that would need to be made in determining whether an Item 1.05 Form 8-K would be required, the SEC proposes to add Item 1.05 to the list of Form 8-K items specified in General Instruction I.A.3.(b) of Form S-3 and General Instruction I.A.2 of Form SF-3, so that the untimely filing of an Item 1.05 Form 8-K would not result in a loss of Form S-3 or Form SF-3 eligibility, so long as Form 8-K reporting is current at the time the Form S-3 or SF-3 is filed. The SEC has also proposed amendments to Exchange Act Rules 13a-11(c) and 15d-11(c) to include Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Exchange Act Section 10(b) and Exchange Act Rule 10b5-1.

Disclosures about Cybersecurity Incidents in Periodic Reports

The SEC is proposing to require periodic disclosures (e.g., in Annual Reports on Form 10-K and Quarterly Reports on Form 10-Q) about updates regarding previously reported cybersecurity incidents and individually immaterial cybersecurity incidents that become material in the aggregate.

Updates to Previously Filed Form 8-K Disclosure

Proposed Item 106(d)(1) of Regulation S-K would require companies to disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K in a company’s Quarterly Report on Form 10-Q or Annual Report on Form 10-K for the period (the company’s fourth fiscal quarter in the case of an annual report) in which the material change, addition, or update occurred. For example, the SEC notes a situation where, after filing the initial Form 8-K disclosure about a material cybersecurity incident, the company becomes aware of additional material information about the scope of the cybersecurity incident and whether any data was stolen or altered. Under the proposed Item 106(d)(1) disclosure requirement, the company would need to provide updates that allow investors to stay informed about those developments. The SEC also notes that a company may be able to provide information under proposed Item 106(d)(1) about the effect of the previously reported cybersecurity incident on its operations, as well as a description of remedial steps it has taken, or plans to take, in response to the incident when that information was not available at when the company filed the initial Form 8-K.

Proposed Item 106(d)(1) of Regulation S-K provides the following non-exclusive examples of the type of disclosure that should be provided, if applicable:

• Any material impact of the incident on the company’s operations and financial condition;
• Any potential material future impacts on the company’s operations and financial condition;
• Whether the company has remediated or is currently remediating the incident; and
• Any changes in the company’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.

The SEC indicates in the Proposing Release that, notwithstanding the disclosure requirement in proposed Item 106(d)(1) of Regulation S-K, there may be situations where a company would need to file an amended Form 8-K to correct disclosure from the initial Item 1.05 Form 8-K, such as where that disclosure becomes inaccurate or materially misleading as a result of subsequent developments regarding the incident. For example, the SEC notes that if the impact of the incident is determined after the initial Item 1.05 Form 8-K filing to be significantly more severe than previously disclosed, an amended Form 8-K may be required.

Disclosure of Cybersecurity Incidents That Have Become Material in the Aggregate

Proposed Item 106(d)(2) of Regulation S-K would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. As a result of this proposed disclosure requirement, companies would be required to analyze related cybersecurity incidents for materiality, both individually and in the aggregate. If the related cybersecurity incidents become material in the aggregate, a company would need to disclose:

• When the incidents were discovered and whether they are ongoing;
• A brief description of the nature and scope of such incidents;
• Whether any data was stolen or altered;
• The impact of such incidents on the company’s operations and the company’s actions; and
• Whether the company has remediated or is currently remediating the incidents.

In the Proposing Release, the SEC provides an example where one malicious actor engages in a number of smaller (but continuous) cyber-attacks, related in time and form, against the same company and collectively these attacks are either quantitatively or qualitatively material, or both. The SEC notes that such incidents would need to be disclosed in the periodic report for the period in which a company has made a determination that the incidents are material in the aggregate.

Disclosure of a Company’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks

The SEC is proposing to require periodic disclosures about a company’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and oversight of cybersecurity risk by the board of directors.

Risk Management and Strategy

The SEC proposes Item 106(b) of Regulation S-K to require companies to provide disclosure regarding their cybersecurity risk management and strategy. Proposed Item 106(b) would require companies to disclose their policies and procedures, if they have any, to identify and manage cybersecurity risks and threats, including: (i) operational risk; (ii) intellectual property theft; (iii) fraud; (iv) extortion; (v) harm to employees or customers; (vi) violation of privacy laws and other litigation and legal risk; and (vii) reputational risk. Specifically, proposed Item 106(b) of Regulation S-K would require disclosure, as applicable, of whether:

• The company has a cybersecurity risk assessment program and, if so, a description of such program;
• The company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
• The company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider, including, but not limited to, those providers that have access to the company’s customer and employee data, and including whether and how cybersecurity considerations affect the selection and oversight of these providers, and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
• The company undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
• The company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
• Previous cybersecurity incidents have informed changes in the company’s governance, policies or and procedures, or technologies;
• Cybersecurity related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition and, if so, how; and
• Cybersecurity risks are considered to be part of the company’s business strategy, financial planning, and capital allocation and, if so, how.

Governance

The SEC is proposing that Item 106(c) of Regulation S-K would require disclosure of a company’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the company’s cybersecurity policies, procedures, and strategies.

With respect to the board’s oversight of cybersecurity risk, disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following:

• Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
• The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
• Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

Proposed Item 106(c)(2) of Regulation S-K would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the company’s cybersecurity policies, procedures, and strategies, including, but not be limited to, the following information:

• Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
• Whether the company has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the company’s organizational chart, and the relevant expertise of any such persons (proposed Instruction 2 to Item 106(c) provides guidance that “expertise” may include, for example: prior work experience in cybersecurity; any relevant degrees or certifications; any knowledge, skills, or other background in cybersecurity);
• The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
• Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.

Definitions

Proposed Item 106(a) of Regulation S-K would define the terms “cybersecurity incident,” “cybersecurity threat,” and “information systems,” as used in proposed Item 106 and proposed Form 8-K Item 1.05, as follows:

• “Cybersecurity incident” means an unauthorized occurrence on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.
• “Cybersecurity threat” means any potential occurrence that may result in an unauthorized effort to adversely affect the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.
• “Information systems” means information resources, owned or used by the company, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the company’s information to maintain or support the company’s operations.

The SEC notes that these definitions are derived from a number of pre-existing sources identified in the Proposing Release. The SEC also notes that what constitutes a “cybersecurity incident” for purposes of the proposed rules “should be construed broadly and may result from any one or more of the following: an accidental exposure of data, a deliberate action or activity to gain unauthorized access to systems or to steal or alter data, or other system compromises or data breaches.”

Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

The SEC proposes to amend Item 407 of Regulation S-K by adding paragraph (j) to require disclosure about the cybersecurity expertise of members of the board of directors of the company, if any. If any member of the board has cybersecurity expertise, the company would be required to disclose the name(s) of any such director(s) and provide such details as necessary to fully describe the nature of the expertise. These proposed disclosure requirements would build upon the existing disclosure requirements in Item 401(e) of Regulation S-K (business experience of directors) and Item 407(h) of Regulation S-K (board risk oversight). The proposed Item 407(j) disclosure would be required in a company’s proxy or information statement when action is to be taken with respect to the election of directors, and in the company’s Annual Report on Form 10-K (either directly or through incorporation by reference from the proxy statement).

Proposed Item 407(j)(1)(ii) would include the following non-exclusive list of criteria that a company should consider to determine whether a director has expertise in cybersecurity:

• Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
• Whether the director has obtained a certification or degree in cybersecurity; and
• Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.

Proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act of 1933, as amended, as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407(j). This proposed safe harbor “is intended to clarify that Item 407(j) would not impose on such person any duties, obligations, or liability that are greater than the duties, obligations, and liability imposed on such person as a member of the board of directors in the absence of such designation or identification.”

Disclosure by Foreign Private Issuers

Foreign private issuers are not required to file Current Reports on Form 8-K, and instead must furnish on Form 6-K copies of all information that the foreign private issuer: (i) makes, or is required to make, public under the laws of its jurisdiction of incorporation; (ii) files, or is required to file, under the rules of any stock exchange; or (iii) otherwise distributes to its security holders. The SEC proposes to amend General Instruction B of Form 6-K to reference material cybersecurity incidents among the items that may trigger a current report on Form 6-K. The SEC notes that, as with proposed Item 1.05 of Form 8-K, the proposed change to Form 6-K “is intended to provide timely cybersecurity incident disclosure in a manner that is consistent with the general purpose and use of Form 6-K.”

Where a foreign private issuer has previously reported an incident on Form 6-K, the SEC’s proposed amendments would require disclosure of material changes, additions, or updates regarding such incident, consistent with proposed Item 106(d)(1) of Regulation S-K. The SEC proposes to amend Form 20-F to require that foreign private issuers disclose on an annual basis information regarding any previously undisclosed material cybersecurity incidents that have occurred during the reporting period, including a series of previously undisclosed individually immaterial cybersecurity incidents that has become material in the aggregate.

The SEC proposes to amend Form 20-F to add Item 16J, which would require a foreign private issuer to include in its Annual Report on Form 20-F the same type of disclosure that the SEC proposes to require in Items 106 and 407(j) of Regulation S-K.

Inline XBRL

The SEC proposes to require that companies tag the information specified by Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K in Inline XBRL in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual. The proposed tagging requirements would include block text tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed within the narrative disclosures.

Next Steps

The SEC’s proposed amendments represent a significant step in the SEC’s long-term efforts to promote greater transparency regarding cybersecurity incidents. The SEC proposes to move past reliance on existing disclosure requirements and interpretive guidance by creating an entirely new disclosure regime that will apply to current disclosure of cybersecurity incidents and periodic disclosure of companies’ efforts to prevent such incidents from occurring and/or having an adverse impact. If adopted, the disclosure requirements will require companies to evaluate and adapt their existing disclosure controls and procedures and governance structures around cybersecurity risk.

[1] Release No. 33-11038, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Mar. 9, 2022), available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf (the “Proposing Release”).

[2] CF Disclosure Guidance: Topic No. 2 – Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

[3] Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459
(Feb. 26, 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf (the “2018 Interpretive Release”).

[4] See, e.g., TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976); Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); and Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011).