On March 9, 2022, the SEC proposed new rules (“Proposed Rules”) that would expand cybersecurity disclosures applicable to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 (“Exchange Act”). Existing SEC rules do not explicitly require cybersecurity disclosures, and instead provide management with the discretion to reveal information based on materiality assessments. If the Proposed Rules are adopted, these rules would impose new reporting obligations with respect to cybersecurity matters, such as specifically mandating current and periodic reporting of material cybersecurity incidents, and also requiring periodic disclosure of a company’s policies and procedures to identify and manage cybersecurity risks, management’s role and expertise in implementing cybersecurity policies, procedures, and strategies, and the board of directors’ oversight role and cybersecurity expertise, if any.
Overview of SEC’s Proposed Cybersecurity Disclosure Requirements
Disclosures of Material Cybersecurity Incidents
The Proposed Rules would require a company to file a Form 8-K within four (4) business days after the company determines that it has experienced a material cybersecurity incident. Specifically, the new Form 8-K line item would require disclosure of the following items of information, to the extent such information is known at the time of the filing: (i) when the incident was discovered and whether it is ongoing; (ii) a brief description of the nature and scope of the incident; (iii) whether any data was stolen, altered, accessed or used for any other unauthorized purpose; (iv) the effect of the incident on the company’s operations; and (v) whether the company has remediated or is currently remediating the incident.
The trigger for an Item 1.05 Form 8-K is the date on which a company determines that a cybersecurity incident it has experienced is material, rather than the date of discovery of the incident. The purpose of this timing is to focus the disclosure on incidents that are material to investors.
The Proposed Rules do not provide specific guidance about how to determine the materiality of a cybersecurity incident. Instead, materiality is to be evaluated based on the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors to determine whether the incident is material. The Proposed Rules provide examples of incidents that could be material, such as accidental exposure or theft of sensitive business information, intellectual property or personally identifiable information, threats to sell or publicly disclose sensitive data, and ransomware demands.
Under the Proposed Rules, any material changes or updates to cybersecurity incidents that were previously disclosed must be disclosed in subsequent Form 10-Q and Form 10-K reports. In addition, a series of individually immaterial cybersecurity incidents that later become material in the aggregate would need to be disclosed in subsequent Form 10-Q and Form 10-K reports.
Disclosures Regarding Cybersecurity Risk Management and Strategy
The Proposed Rules would also require companies to disclose more consistent and informative information regarding their cybersecurity risk management strategies. The Proposed Rules would amend Regulation S-K to require a description of a company’s policies and procedures, if any, for identifying and managing risks from cybersecurity threats, including operational risk; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk.
In addition, the Proposed Rules specify a series of items that must be disclosed, such as (i) a description of the company’s cybersecurity risk assessment program; (ii) whether the company engages assessors, consultants, auditors or other third parties in connection with any cybersecurity risk assessment program; (iii) whether cybersecurity related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition; and (iv) whether the cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation.
Disclosure Regarding Cybersecurity Governance
The Proposed Rules would require disclosure regarding a company’s cybersecurity governance with respect to both the board of directors and management levels. Regarding board oversight, the Proposed Rules would require disclosure of (i) whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks; (ii) the processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and (iii) whether and how the board or a board committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight.
With respect to management’s role, the Proposed Pules would also require specific disclosures, including, but not limited to (i) specifying where certain management positions or committees are responsible for managing cybersecurity; (ii) whether the company has a designated management chief information security officer (CISO) or similar role; (iii) the processes by which responsible persons or committees are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents; and (iv) whether and how frequently such persons report to the board of directors or a committee of the board of directors on cybersecurity risk.
Disclosures Regarding Board Expertise
The Proposed Rules would also require disclosure about the cybersecurity expertise of members of the board, if any. The Proposed Rules do not define “cybersecurity expertise” but provide several factors to consider in reaching a determination on whether a director has expertise in cybersecurity, such as prior work experience or certifications in cybersecurity. These disclosures would be required in both the company’s proxy statement and Form 10-K.
The Proposed Rules include three provisions that potentially mitigate liability concerns associated with the proposed new requirements. First, an untimely disclosure of material cybersecurity incidents on Form 8-K would not result in a loss of Form S-3 eligibility. Additionally, untimely disclosures of material cybersecurity incidents are eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5.
The Proposed Rules emphasize the SEC’s focus on the area of cybersecurity by requiring ongoing disclosures on companies’ governance, risk management, and strategy with respect to cybersecurity risks, as well as mandating material cybersecurity incident reporting. Companies should look to strengthen their disclosure controls and procedures around cybersecurity incidents.
The Proposed Rules are open for comment until 30 days after publication in the Federal Register or May 9, 2022 (whichever is later). The SEC will then assess public comments that are submitted and vote on a final rule.