The U.S. Securities and Exchange Commission has proposed rules and amendments to enhance and standardize the reporting on cybersecurity risk management, strategy, governance and incidents disclosed by public companies.
In particular, the proposed rules, which were distributed on March 9, 2022, set forth in Release No. 33-11038 (the Rule Proposal), would require current reporting on Form 8-K of material cybersecurity incidents, as well as periodic disclosures about a company’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing such policies and procedures, and the board’s expertise along with its role in providing oversight of cybersecurity risks.
In addition, companies would be required in their periodic reports to provide updates regarding previously reported cybersecurity incidents. The Rule Proposal would require amendments to several existing rules and forms and provide for the required disclosure to be in the Inline eXtensible Business Reporting Language (Inline XBRL) format. The key provisions of the Rule Proposal are summarized in this alert.
The proposed rules are in response to the inconsistencies and alleged underreporting that the SEC has noted across public companies with respect to material cybersecurity incidents and the potential costs and harm that may be caused by a cybersecurity incident. Under the Rule Proposal, a cybersecurity incident is defined as “an unauthorized occurrence on or conducted through a [company’s] information systems that jeopardizes the confidentiality, integrity, or availability of a [company’s] information systems or any information residing therein.”
The SEC notes costs and adverse consequences that companies may incur from a cybersecurity incident including business interruption, decreased production, ransom demands, increased protection costs, litigation risks and lost revenues from intellectual property theft. The proposed rules are intended to provide more timely and consistent disclosure to investors about these risks and a company’s ability to address them through disclosures that can be compared across industries.
The SEC notes that its previous interpretive guidance regarding disclosure obligations of cybersecurity risks in CF Disclosure Guidance: Topic No. 2 - Cybersecurity from 2011 and Commission Statement and Guidance on Public Company Cybersecurity Disclosures from 2018 would still apply if the proposed rules are adopted.
In summary, the proposed rules would:
- Amend Forms 8-K and 6-K to require current disclosure of material cybersecurity incidents.
- Add new Item 106 of Regulation S-K requiring companies to provide:
- Updated disclosure in Forms 10-Q and 10-K regarding previously reported cybersecurity incidents, as well as requiring disclosure when a series of previously undisclosed immaterial cybersecurity incidents becomes material in the aggregate;
- Descriptions of policies and procedures to identify and manage risks from cybersecurity threats, including whether the company considers cybersecurity risks as part of its business strategy, financial planning and capital allocation; and
- Disclosure of the board’s oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise and management’s role in implementing the company’s cybersecurity policies, procedures and strategies.
- Amend Item 407 of Regulation S-K to require disclosure of whether any board member has expertise in cybersecurity and, if so, the nature of the expertise.
Form 8-K Amendment
Under the Rule Proposal, new Item 1.05 would be added to Form 8-K that would require a company to provide the following information about a material cybersecurity incident:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the company’s operations; and
- Whether the company has remediated or is currently remediating the incident.
The filing would be due within four business days of the company’s determination that a material cybersecurity incident had occurred.
According to the Rule Proposal, non-exclusive examples of cybersecurity incidents include:
- An unauthorized incident that has compromised the confidentiality, integrity or availability of an information asset (data, system or network), or violated a company’s security policies or procedures;
- An unauthorized incident that caused degradation, interruption, loss of control, damage to or loss of operational technology systems;
- An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or stole sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the company;
- An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
- An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.
Item 1.05 contemplates that whether a cybersecurity incident is material may not be immediately apparent upon discovery, therefore, consistent with prior SEC instruction, the triggering date would be the date that the materiality determination is made. Instructions to proposed Item 1.05 require a company to make its materiality determination “as soon as reasonably practicable after discovery of the incident.” Once a materiality determination has been made, it would not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident.
The Rule Proposal would also amend General Instruction B of Form 6-K to make cybersecurity incidents one of the items that would trigger reporting on the form.
No Impact on S-3 Eligibility or Section 10(b) or Rule 10b-5 Safe Harbors
The Rule Proposal would amend the general instructions to Forms S-3 and SF-3 so that failure to timely file a Form 8-K for Item 1.05 would not disqualify a company from being eligible to use the respective form. Similarly, the Rule Proposal would amend Rules 13a-11 and 15d-11 of the Securities Exchange Act of 1934 (the Exchange Act) so that failure to file a Form 8-K for Item 1.05 would be included in the list of Form 8-K items that are eligible for the safe harbor from liability under Section 10(b) or Rule 10b-5 of the Exchange Act.
Amendments to Periodic Reports (10-K and 10-Q)
Under the Rule Proposal, Item 106(d)(1) of Regulation S-K would require companies to provide updates in their Forms 10-Q (and Form 10-K for the fourth quarter) for cybersecurity incidents previously reported on Form 8-K that occur during the covered period. The non-exclusive examples of possible disclosures include:
- Material impacts of the cybersecurity incident on the company’s operations and financial condition;
- Potential material future impacts on the company’s operations and financial condition;
- Remediation efforts; and
- Changes to the company’s policies and procedures resulting from the incident and how the incident may have informed such changes.
Under proposed Item 106(d)(2), companies would be required to disclose previously undisclosed and immaterial cybersecurity incidents if they become material in the aggregate. In such cases, companies would have to provide information regarding:
- When the incidents were discovered and whether they are ongoing;
- A brief description of the nature and scope of such incidents;
- Whether any data was stolen or altered;
- The impact of such incidents on the company’s operations and actions; and
- Whether the company has already remediated or is currently remediating the incidents.
The disclosure would have to be provided in the Form 10-Q (or 10-K) for the quarter in which the company makes the determination the incidents are material in the aggregate.
Item 106(b) – Disclosure of Policies and Procedures
Proposed Item 106(b) of Regulation S-K would require disclosure of information regarding companies’ policies and procedures to identify and manage cybersecurity risks and threats. Required disclosure would include whether:
- The company has a cybersecurity risk assessment program and, if so, a description of such program;
- The company engages assessors, consultants, auditors or other third parties in connection with any cybersecurity risk assessment program;
- The company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to its customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
- The company undertakes activities to prevent, detect and minimize effects of cybersecurity incidents;
- The company has business continuity, contingency and recovery plans in the event of a cybersecurity incident;
- Previous cybersecurity incidents have informed changes in the company’s governance, policies and procedures or technologies;
- Cybersecurity-related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition and, if so, how; and
- Cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation and, if so, how.
Item 106(c) – Governance
Proposed Item 106(c) of Regulation S-K would require disclosure of a company’s oversight of cybersecurity risk, including the roles played by its management and board. Companies would have to disclose the following with respect to their boards of directors:
- Whether the entire board, specific board members or a board committee is responsible for the oversight;
- The board’s processes for being informed about cybersecurity risks and the frequency of its discussions on this topic; and
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight.
Disclosure of management’s oversight of cybersecurity risks and role in implementing related cybersecurity policies, procedures, and strategies would include, but not be limited to, the following:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection and remediation of cybersecurity incidents, as well as the relevant expertise of such persons or members;
- Whether the company has a designated a chief information security officer, or someone in a comparable position, and, if so, to whom that individual reports within the company’s organizational chart, as well as the relevant expertise of any such persons;
- The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents; and
- Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
Item 407(j) – Board of Directors’ Cybersecurity Expertise
Under the Rule Proposal, a company would be mandated to disclose any cybersecurity expertise on its board of directors under new section (j) of Item 407 of Regulation S-K. Proposed Item 407(j) would require a company to disclose the names of any directors with such expertise and descriptions of the nature of such expertise in its proxy statement or information statement in connection the election of directors, and in its Form 10-K. Cybersecurity expertise of a director is not defined in Proposed Item 407(j) but may include:
- Prior work experience in cybersecurity;
- A certification or degree in cybersecurity; and/or
- Any knowledge, skills or other background in cybersecurity.
A person with cybersecurity expertise would not be deemed by Proposed Item 407(j) to be an expert for any other purpose nor would such a designation increase a director’s responsibilities, obligations or liabilities as a board member.
Foreign Private Issuers
Finally, the Rule Proposal would amend Form 20-F to provide for similar reporting as discussed above for foreign private issuers by adding Item 16J. Foreign private issuers would provide updates to cybersecurity incidents previously reported on Form 6-K as well as previously undisclosed material incidents, including those that have become material in the aggregate, on Form 20-F.
In preparation for the possible substantial adoption of the Rule Proposal, public companies should consider how the proposed rules are likely to impact them and their businesses. For example, key considerations include:
- Companies should ensure that they have disclosure controls and procedures in place to quickly identify cybersecurity incidents and that those incidents are promptly reported to management.
- Management and the board must also have appropriate reporting and governance structures to ensure that they can promptly make a determination regarding whether a cybersecurity incident—or a series of cybersecurity incidents in the aggregate—is material and requires reporting.
- Companies without policies and procedures regarding the management of cybersecurity risks should begin preparations to adopt them.
- Companies with existing policies and procedures regarding cybersecurity should review them and consider enhancements in light of the disclosure requirements under the Rule Proposal.
- In some cases, determining whether an incident is material may be challenging. A company should consider adopting a policy specifying the circumstances under which it would consider a cybersecurity incident—or a series of cybersecurity incidents in the aggregate—to be material and should review such policy periodically to ensure that it appropriately addresses risks to its business and related costs.
- Companies without a cybersecurity expert on the board will have to disclose such absence if the proposed rules are adopted. The nominating and corporate governance committee or its equivalent may consider the impact of this disclosure when recommending board candidates.
- Boards of directors should receive regular updates from management regarding cybersecurity matters, including areas of risk, areas of focus, business systems readiness, cybersecurity incidents and remediation.
- Boards should clearly delineate oversight responsibilities for cybersecurity matters, including updating committee charters with specific coverage where necessary.
The SEC has established a deadline of the later of 30 days after publication in the Federal Register or May 9, 2022, as the deadline for the public to submit comments regarding the Rule Proposal.