On March 9, 2022, the Securities and Exchange Commission (SEC) announced proposed rules requiring publicly listed companies to make several specific disclosures related to cybersecurity incidents and the registrant's management and governance of cyber risks. The new rules build on SEC Staff Guidance released in 2011 and a 2018 Interpretive Release.
The proposed rules include:
- A four-business-day notification deadline for reporting material cybersecurity incidents;
- Mandatory disclosures regarding the board of directors' oversight of cybersecurity risk and individual board members' cybersecurity expertise; and
- Mandatory disclosures regarding the role of management in addressing cybersecurity risk.
The proposed rules include numerous questions for public comment. Comments currently are due by May 9, 2022.
Reporting of Material Cybersecurity Incidents
The proposed rules would amend Form 8-K to require that companies disclose information about material cybersecurity incidents within four business days after determining that the incident is material. The amended Form 8-K would require disclosure of the following information about the incident, to the extent known at the time of filing:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the company's operations; and
- Whether the company has remediated or is currently remediating the incident.
Notably, the four-business-day notification deadline would start running on the date the company determines that a cyber incident was material, not the date the incident is discovered (as is typically the case under incident reporting rules). Companies must determine whether an incident is material "as soon as reasonably practicable after discovery of the incident."
Running the notification deadline from the date materiality is determined rather than the date the incident is discovered could cut both ways for registrants. On the one hand, this gives registrants more flexibility as to when (if ever) an incident must be disclosed on a Form 8-K. On the other hand, when it is not immediately clear whether an incident is material, which is frequently the case, companies will need to continually reassess materiality as the investigation progresses. Registrants are advised to carefully document and update the materiality analysis so it is clear when, if ever, the company decided the incident was material.
Significantly, the proposed rules would also make Form 8-K disclosures of cybersecurity incidents eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act, which prohibit making false statements of material facts or material omissions in disclosures and contain an implied private right of action.
If material facts are uncovered after the company submits the initial Form 8-K disclosure, the proposed rules require companies to update the disclosure in either their Form 10-Q quarterly reports or Form 10-K annual reports. Moreover, the proposed rules would require companies to disclose instances "when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate."
What Is a Material Cyber Incident?
The proposed rules define a cybersecurity incident as "an unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." The proposal states that cybersecurity incidents "should be construed broadly and may result from any one or more of the following: an accidental exposure of data, a deliberate action or activity to gain unauthorized access to systems or to steal or alter data, or other system compromises or data breaches."
The definition of cybersecurity incidents under the proposed rules is broader than that of data breaches under state laws. For example, the proposed rules' definition includes incidents resulting in operational impacts but no unauthorized access to or acquisition of personal information, while state breach notification laws are typically triggered only by the latter.
Even where a cybersecurity incident has occurred, it only must be disclosed on a Form 8-K if it is material. The proposed rules emphasize that assessing the materiality of a cybersecurity incident will require a fact-intensive and context-specific inquiry. The SEC advises that in making this determination, companies must "thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material."
Based on this holistic evaluation, the company would need to decide whether an incident would be considered material from the perspective of a reasonable investor. To be sure, a company cannot determine that an incident is non-material based solely on its limited financial impact as it will "depend[ ] on the significance the reasonable investor would place on" the incident.
Periodic Disclosures Regarding Cybersecurity Risk Management and Governance
The proposed rules would also amend Form 10-K to require companies to make periodic disclosures about their internal policies for managing cybersecurity risks. These disclosures broadly fall into three categories: (1) cybersecurity policies and procedures; (2) the board of directors' role in cybersecurity risk management; and (3) management's role and expertise in implementing the company's cybersecurity policies.
Policies and Procedures
The proposed rules would require companies to describe their policies and procedures, if they have any, for identifying and managing cybersecurity risks, including those risks related to business operations, intellectual property theft, fraud, extortion, harm to employees or consumers, violations of privacy laws, and the registrant's reputation. Specifically, a registrant would be required to disclose whether:
- The company has a cybersecurity risk assessment program and to describe that program;
- The company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
- The company maintains policies and procedures to identify and mitigate the cybersecurity risks associated with its use of any third-party service provider (including but not limited to those providers that have access to the company's customer and employee data);
- The company undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
- The company maintains business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
- Previous cybersecurity incidents have informed changes in the registrant's governance, policies and procedures, or technologies;
- Cybersecurity-related risk and incidents have affected or are reasonably likely to affect the registrant's results of operations or financial condition and, if so, how; and
- Cybersecurity risks are considered as part of the registrant's business strategy, financial planning, and capital allocation and, if so, how.
The proposed rules require registrants to disclose how their boards of directors oversee company cybersecurity risk management. Specifically, the proposed rules would require disclosure of:
- Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
- The processes by which the board is informed about cybersecurity risks and the frequency of its discussions on this topic; and
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.
In addition, the proposed rules would require companies to disclose whether any members of the board of directors have cybersecurity expertise, including the names of any such directors and a description of their expertise.
The proposed rules would require companies to disclose management's role in assessing cybersecurity risks and implementing the companies' policies. Specifically, registrants would be required to disclose:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
- Whether the registrant has a designated a chief information security officer or someone in a comparable position and, if so, to whom that individual reports within the registrant's organizational chart and the relevant expertise of any such persons;
- The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
- Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
Increasingly Complex Notification Environment
These proposed rules continue a flurry of regulatory activity around cybersecurity in general and incident notification in particular. As discussed in our prior post here, in February the SEC proposed new cyber-notification and safeguards rules for registered investment advisors and funds. The SEC has also been active in policing cybersecurity and disclosure shortcomings, coming to a number of high-value settlements in 2021 (see prior blog posts here and here).
Companies are also increasingly likely to find themselves navigating overlapping—and in some cases conflicting—incident notification requirements. In December 2021, the Federal Trade Commission (FTC) issued a supplemental notice of proposed rulemaking that would amend the Gramm Leach Bliley Act (GLBA) Safeguards Rule to require non-bank financial institutions to notify the FTC within 30 days of becoming aware of incidents in which the misuse of customer information has occurred or is reasonably likely and that affects or reasonably may affect at least 1,000 consumers.
A final rule recently announced by federal banking regulators requires banking organizations to notify their federal regulators of significant cybersecurity incidents within 36 hours after determining that an event occurred. And the omnibus spending bill signed by President Biden on March 15, 2022, requires operators of critical infrastructure to report significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours. Each of these three requirements defines differently the incidents that must be reported, and those definitions vary from the analogous definitions in state data breach laws.
It is not difficult to see how these various reporting requirements might clash. For example, as the SEC acknowledges in the proposed rules, a company may be required to disclose an incident in a Form 8-K even though it is delaying reporting under state laws due to a law enforcement delay.
A Focus on Transparency, Not Prescriptive Rules
In contrast to the SEC's February 2022 rules for registered investment advisors and funds, the SEC's proposed rules for publicly traded companies do not contain prescriptive requirements for internal cybersecurity safeguards. These proposed rules, for example, do not require companies to institute cyber compliance policies or ensure adequate board and management oversight. But by mandating disclosure of whether a registrant has these mechanisms, the SEC is effectively regulating through transparency.
Many registrants will be hesitant to disclose publicly that they lack key cyber controls and, therefore, will face pressure to improve their cybersecurity programs. Registrants will need to adopt policies and procedures and board and management oversight to meet the four-business-day disclosure deadline as well.