On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new cybersecurity rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The text of the proposed rules is available here. The SEC proposal would continue to ratchet up cybersecurity as an increasingly critical dimension of corporate governance.
Key takeaways from the SEC’s release include the following:
1. Reporting material cybersecurity incidents within four days. The SEC would modify the Form 8-K reporting requirements to include reporting of any material cybersecurity incident to the SEC within four business days after the registrant determines it has experienced such an incident. Critically, the time to disclose is tied to a determination of materiality and not the date of the initial discovery of an incident that could, within time and after investigation, become a material event (or be determined not to be material). The proposed rules do not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident. Form 8-K would request information such as when the incident was discovered, a description of the incident, the impact on data, the effect of the incident on the registrant’s operations, and the status of remediation. The proposed rules provide guidance on what constitutes “materiality” for the purposes of cybersecurity incidents, consistent with case law such as TSC Industries, Inc. v. Northway addressing materiality in the securities laws where there is “ ‘a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision or it would have altered the ‘total mix’ of information made available.” The proposed rules includes a nonexclusive list of cybersecurity events that may require disclosure, such as
a. an unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network) or violated the registrant’s security policies or procedures;
b. an unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
c. an incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant;
d. an incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
e. an incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.
Notably, all of these examples are cybersecurity incidents that may happen with frequency in today’s cyberthreat environment despite reasonable information security programs and defenses and that could vary in degree of impact from the trivial to the material, depending on the specific facts of the particular incident. The proposed rules do not provide substantially greater clarity from prior guidance for when an incident crosses the materiality threshold. That determination remains a complex analysis of several factors. However, an untimely filing of the proposed new 8-K item would not affect Form S-3 eligibility.
2. Updates of previously reported incidents. The proposed rules will also require updates about previously reported material cybersecurity incidents through registrant’s 10-Ks and 10-Qs for the period in which the update occured, such as the following nonexclusive examples: any material impact of the incident (or potential material future impacts) on the registrant’s operations and financial condition; whether the registrant has remediated or is currently remediating the incident; and any changes in the registrant’s policies and procedures as a result of the cybersecurity incident and how the incident may have informed such changes.
In addition, the proposed rules would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. This would include reporting on, among other items, when those previously undisclosed incidents were discovered and whether they are ongoing.
3. Required disclosure of cybersecurity risk management and strategy. The SEC proposes to amend Form 10-K to require disclosures of a registrant’s cybersecurity risk management systems, which may include its policies and procedures for identifying, assessing, and managing the risks. The proposed rules include a nonexclusive list of risk management strategies, policies, and procedures that may require disclosure, such as whether
a. the registrant has a cybersecurity risk assessment program
b. the registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program
c. the registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider
d. the registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents
e. the registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident
f. previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies
g. cybersecurity-related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition
h. cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation
4. Required disclosures concerning cybersecurity governance. The SEC proposes to amend Form 10-K to require a description of the board’s oversight of cybersecurity risk as well as a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies. The proposed rules include a nonexclusive list of items that may be included in the description, such as
a. whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks
b. the processes by which the board is informed about cybersecurity risks and the frequency of its discussions on this topic
c. whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight
d. whether certain management positions or committees are responsible for measuring and managing cybersecurity risk
e. whether the registrant has a designated a chief information security officer or someone in a comparable position
f. the processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents
g. whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk
5. Required disclosures concerning board cybersecurity expertise. The SEC proposes to amend Item 407 of Regulation S-K to require a description of the cybersecurity expertise of a registrant’s board. The proposed rules include a nonexclusive list of items that may be included in the description, such as
a. whether the director has work experience in cybersecurity
b. whether the director has obtained a certification or degree in cybersecurity
c. whether the director has knowledge, skills, or other background in cybersecurity
6. Foreign private issuers required to provide cybersecurity disclosures. The SEC proposes to amend Form 6-K and 20-F to ensure that foreign private issuers’ disclosures are consistent with domestic forms.
7. Reporting must be presented in Inline eXtensible Business Reporting Language (Inline XBRL). XBRL is both machine-readable and human-readable and includes block text tagging as well as detail tagging of narrative disclosures.
The SEC established a public comment period concluding on the later of May 9, 2022 (60 days after the SEC issued its release), or 30 days after the Federal Register publishes the proposed release. The SEC’s proposing release seeks comment on more than 50 detailed issues.
Commissioner Hester Peirce published a statement dissenting on the proposed rules. Commissioner Peirce argued that the SEC’s role with respect to cybersecurity is limited and that the proposed rules act as “an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies.” However, Commissioner Peirce offered some support to the rules relating to the reporting of material cybersecurity incidents, although she did note that in certain circumstances delaying disclosure of a material cybersecurity incident could be beneficial to a public company and supported by other federal and state governmental entities such as law enforcement.
These proposed rules are not the only recent SEC cybersecurity regulation. On February 9, 2022, the SEC proposed cybersecurity risk management rules for investment advisers, registered investment companies, and business development companies. Note that the SEC has not yet released a proposed rule to update Regulation S-P under the Gramm-Leach-Bliley Act and thus has not to date proposed any mandatory personal data breach reporting requirements for customer data held by regulated entities (such as broker-dealers or registered investment advisers). For information related to current best practices related to cybersecurity, see Sidley’s recent blog post on the topic or contact a member of the Sidley team.