Following closely on its proposal for substantial new cybersecurity requirements for investment advisers and registered investment companies, the Securities and Exchange Commission (SEC) unveiled a new slate of proposed cybersecurity disclosure rules for public companies. The proposed new cybersecurity mandates for publicly traded companies are designed to standardize cybersecurity-related incident reporting, governance, and risk management and emphasize the increasing importance of cybersecurity as a dimension of corporate governance. Their stated purpose is to provide “consistent, comparable, and decision-useful” information to investors. If adopted, these rules will require public companies to disclose: 1) any cybersecurity incidents within four business days of the company’s determination that the incident is “material”; and 2) on an annual basis, describe its cybersecurity risk management policies and procedures, governance practices, and to what extent board members possess cybersecurity expertise. The proposed rules are subject to a public comment period through May 9, 2022.
The proposed rules would require public companies to file a Form 8-K within four business days of the determination that a company has experienced a material cybersecurity incident. The proposal defines a “cybersecurity incident” broadly as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
That the countdown to the company’s reporting deadline begins upon a determination of materiality, rather than upon discovery, is notable. A determination of materiality (applying the traditional materiality standards under federal securities law) must be made “as soon as reasonably practicable” after discovery of the incident. Disclosure may not be delayed during the process of an ongoing internal or external investigation of the incident. As defined in the proposal, several nonexclusive illustrative examples of material cybersecurity incidents include: the accidental exposure or theft of sensitive business information or intellectual property, damage or loss of control of operational technology, ransomware attacks, and threats to sell or publicly disclose sensitive company data.
The rules require disclosure of the following information to the extent it is known:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incident.
The proposed rules do not provide greater clarity from prior guidance for when an incident is “material.” All of the examples in the proposed rules are cybersecurity incidents that happen with some frequency in today’s cyberthreat environment and the impacts can vary wildly from incident to incident, depending on the facts at hand. Important to note, however, that an untimely filing of Item 1.05 disclosure on Form 8-K would not result in a loss of Form S-3 and Form F-3 eligibility and would be covered by the safe harbor for Section 10(b) and Rule 10b-5 liability. With respect to foreign private issuers, the amendments would similarly create a disclosure trigger for cybersecurity incidents on Form 6-K.
The rules would further require disclosure of any updates in successive Form 10-Q and 10-K regarding:
- Any material changes or updates to the cybersecurity incidents that were previously disclosed in Form 8-K; and
- Any previously undisclosed and individually immaterial cybersecurity incidents that have become material in aggregate.
The proposed rules contain additional Form 10-K disclosure requirements as well. Specifically, the rules would require public companies to disclose information regarding the following:
Cybersecurity Risk Management and Strategy
The proposal requires companies to disclose any policies and procedures they have adopted to identify and manage cybersecurity risks and threats, including: (1) operational risk; (2) intellectual property theft; (3) fraud; (4) extortion; (5) harm to employees or customers; (6) violation of privacy laws and other litigation and legal risk; and (7) reputational risk. Items that would require disclosure include whether:
- The company has a cybersecurity risk assessment program and if so, a description of the program;
- The company engages consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
- The company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third party service provider;
- The company undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
- The company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
- Previous cybersecurity incidents have informed changes in the company’s governance, policies and procedures, or technologies;
- Cybersecurity-related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial conditions; and
- Cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation.
In addition, the proposed rules would require disclosure of a company’s cybersecurity governance at the board and management levels. With respect to the board’s oversight of cybersecurity risk, the proposed rules would require disclosure of:
- Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
- The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
- Whether and how the board or a board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.
With respect to management’s oversight of cybersecurity risk, the proposed rules would require disclosure of:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk;
- Whether the company has a designated chief information officer, or someone in a comparable position;
- The process by which responsible persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
- Whether and how frequently such persons or committees report to the board or a board committee on cybersecurity risk.
Board Cybersecurity Expertise
The proposed rules would also require a company to identify the level of cybersecurity expertise among its board members, if any. If board members with cybersecurity expertise exist, the company would need to disclose their name(s) and provide a description of the director’s expertise. While the rules do not define “cybersecurity expertise,” they do provide a non-exclusive list of considerations that a company should consider in reaching a determination as to this matter, including whether the director has:
- Prior work in cybersecurity;
- Obtained a certification or degree in cybersecurity; and
- Knowledge, skills or other background in cybersecurity.
Notably, the SEC specified that any director(s) identified as having cybersecurity expertise will not formally be deemed an “expert” nor would they inherit any additional duties, obligations, or liability.
As we have written about in the past, while the SEC has long required companies to disclose information regarding cybersecurity incidents, as a practical matter the new proposals constitute a new regime of cybersecurity obligations. For instance:
- The proposed rules would impose an aggressive four-business-day disclosure deadline, which companies may find arduous to meet without prompt escalation and assessment procedures in place. This underscores the importance of creating an incident response policy in advance to ensure that: 1) the employees responsible for cybersecurity have a clear assessment and escalation framework in place; 2) disclosure committees are connected directly to those responsible for detecting and reporting cybersecurity incidents; and 3) counsel is promptly engaged in order to determine materiality and ensure that SEC requirements are met without compromising remediation efforts.
- Following disclosure of a material cybersecurity incident, companies should track incident remediation efforts in order to timely make the required updates in subsequent Form 10-K and 10-Q filings.
- Given the level of specificity of the proposed disclosure requirements, company management and board members should consider reviewing cybersecurity policies in place and contemplating any omissions in their disclosure procedures.
- Companies should also ensure that cybersecurity risk is calculated within the board’s or board committee’s broader risk management framework, and that clear risk management procedures are in place. The proposed rules identify a list of considerations that must be disclosed concerning companies’ cybersecurity strategies, which likely indicates the SEC’s expectations regarding what a robust cybersecurity program looks like.
- Companies should contemplate increasing cybersecurity expertise at the board level, including whether committee oversight would be appropriate. While the proposal does not obligate changes to governance, companies should consider how “gaps” in disclosures could be perceived by investors.
 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC Docket (CCH) 719375, at 106–07.