On March 9, the SEC proposed rules on cybersecurity risk management, strategy, governance and incident disclosure. The proposed rules build upon the SEC’s 20111 and 20182 guidance relating to cybersecurity risks and incidents. While the prior guidance has generally improved reporting on these matters, the varying disclosure practices across companies of different sizes and industries relating to a wide range of cybersecurity events prompted the SEC to take further action for more standardized reporting.
Incident Reporting – New Item 1.05 of Form 8-K (Current Reporting)
To provide investors with more timely and comparable disclosure relating to material cybersecurity incidents, the SEC proposes new Item 1.05 of Form 8-K to require a company to disclose the following information, to the extent known at the time of filing, within four business days after it determines that it has experienced a material cybersecurity incident:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
- The effect of the incident on the company’s operations; and
- Whether the company has remediated or is currently remediating the incident.
Notably, it is the materiality determination rather than the discovery of the incident that it is the trigger for Form 8-K reporting purposes. Companies would be required to make such materiality determinations – objectively considering all relevant facts and circumstances, including both quantitative and qualitative factors, from a reasonable investor’s perspective based on the total mix of information – as soon as reasonably practicable after discovering an incident. Importantly, the SEC would not expect a company to disclose specific information or detail that would impede its response or remediation of the incident.
Incident Reporting Updates, Risk Management, Strategy and Governance – New Item 106 of Regulation S-K (Periodic Reporting)
Recognizing the dynamic and evolving nature of cybersecurity incidents, the SEC proposes new Item 106 of Regulation S-K to provide investors with disclosure in Forms 10-K and 10-Q about both material changes or updates to previously reported (under Item 1.05 of Form 8-K as described above) cybersecurity incidents as well as a series of undisclosed cybersecurity incidents which have become material in the aggregate. Among the potential types of disclosure that should be provided with respect to previously reported incidents include:
- Any material impact of the incidents on the company’s operations and financial condition;
- Any potential material future impacts on the company’s operations and financial condition;
- Whether the company has remediated or is currently remediating the incidents; and
- Any changes in the company’s policies and procedures as a result of the incidents, and how the incident may have informed such changes.
With respect to any series of previously undisclosed cybersecurity incidents which have become material in the aggregate, the disclosure to be provided is the same as that required under Item 1.05 of Form 8-K.
Beyond disclosure regarding cybersecurity incidents, Item 106 would also require a company to provide the following disclosure of its risk management, strategy and governance regarding cybersecurity risks in its Form 10-K:
- Policies and procedures, if any, for identifying and managing cybersecurity risks, with specific discussion of whether, among other things:
- The company has a cybersecurity risk assessment program;
- The company engages assessors, consultants, auditors or other third parties in connection with the program;
- The company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident; and
- Changes in the company’s governance, policies and procedures or technologies were informed by previous cybersecurity incidents.
- The role of the board of directors in overseeing cybersecurity risks, including the processes by which the board is informed about cybersecurity risks, the frequency of its discussions on the topic and whether and how the board (or a committee thereof) considers cybersecurity risks as part of its business strategy, risk management and financial oversight; and
- Management’s role and relevant expertise in assessing and managing cybersecurity related risks and implementing related policies, procedures and strategies.
Board Expertise in Cybersecurity – New Item 407(j) of Regulation S-K (Form 10-K or Proxy Statement Reporting)
Finally, given the continued focus on the role of a company’s board of directors with respect to cybersecurity matters, the SEC has proposed amending existing Item 407 of Regulation S-K to require disclosure of any cybersecurity expertise of members of a company’s board of directors. While the SEC has not defined what constitutes such expertise, it notes that a company should consider, among other things, a director’s prior work experience in cybersecurity, certification or degree in cybersecurity, and knowledge, skills or other background in cybersecurity in making the determination.
The proposed rules are subject to a comment period of at least 60 days. In light of the proposed disclosure requirements, companies should: (1) review and assess their policies and procedures for identifying and managing cybersecurity risks, including the role of management with respect to the same; (2) analyze their cybersecurity governance, particularly with respect to oversight by their boards of directors; (3) review the proposed reporting mechanics for material cybersecurity incidents, with particular regard to materiality determinations and reporting of previously undisclosed individually immaterial incidents that become material in the aggregate; and (4) continue to consider cybersecurity expertise in their evaluation of current and potential members of their board of directors.