SEC Proposes New and Amended Cybersecurity Rules for Public Companies
On March 9, 2022, the Securities and Exchange Commission (“SEC”) voted three-to-one to propose new and amended rules for public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 regarding cybersecurity risk management, strategy, governance, and incident reporting.1 The Proposing Release (“Proposal”) states that the new and amended rules are intended to strengthen investors’ ability to assess public companies’ cybersecurity practices and to provide investors with timely notification of material cybersecurity incidents.
The proposed rules would dramatically expand current guidance (dating from 2011 and 2018), and if adopted, they will significantly impact how public companies and boards disclose cyber incidents and information relating to their cybersecurity oversight.2
This Dechert OnPoint summarizes main elements of the proposed rules and identifies key takeaways.
On October 13, 2011, the SEC’s Division of Corporation Finance issued interpretive guidance to help public companies assess their disclosure obligations related to cybersecurity risks and incidents.3 Several years later, in early 2018, the SEC issued additional interpretive guidance that urged public companies to take all required actions to inform investors about material cybersecurity risks and incidents in a timely manner.4
Expanding on such guidance, the SEC’s proposed rules are part of a broader rulemaking project involving cybersecurity—on January 26, 2022, the SEC proposed expanding Regulation Systems Compliance and Integrity (“SCI”) to particular government securities trading platforms,5 and on February 9, 2022,6 the SEC proposed new cybersecurity obligations for registered investment advisers, registered investment companies, and business development companies.7
The SEC’s proposed rules would require disclosure of two broad categories of information: cybersecurity incidents and cybersecurity risk management, strategy, and governance.
Reporting of Cybersecurity Incidents on Form 8-K
If the rules are adopted as proposed, Form 8-K will require public companies to disclose information about a cybersecurity incident within four-business days after the company determines that it has experienced a “material cybersecurity incident.”8 Specifically, new Item 1.05 of Form 8-K would require a company to disclose:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the company’s operations; and
- Whether the incident has been remediated or the company is currently remediating the incident.
Whether a cybersecurity incident is “material” will be determined by the standard applicable to other securities laws: Information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or it would have “significantly altered the ‘total mix’ of information made available.” The Proposing Release notes that the materiality analysis should not be a mechanical exercise or based solely on a quantitative analysis of an incident. Rather, public companies would need to evaluate the “total mix of information” related to the cybersecurity incident to determine whether it is material.
Importantly, the Proposing Release acknowledges that the SEC does not expect a company “to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the [company’s] response or remediation of the incident.”
The SEC is requesting comment on the proposed requirements under new Item 1.05, including whether: (i) the 8-K disclosure requirement appropriately balances the information needs of investors and the reporting burdens on public companies; (ii) the proposed disclosures and timing may have the unintentional effect of putting public companies at additional risk of future cybersecurity incidents; and (iii) to include an instruction that a public company shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.
Reporting of Cybersecurity Incidents on Form 10-Q and 10-K
The SEC’s proposed rules would also require companies to provide updated disclosures about previously disclosed cybersecurity incidents and to disclose, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.
Proposed Item 106 of Regulation S-K9 would require public companies to disclose any material changes, additions, or updates to information required to be disclosed pursuant to new Item 1.05 of Form 8-K in subsequent Form 10-Q or 10-K filings. The types of disclosure that would be required in subsequent filings include any material impact of the incident on the company’s operations and financial condition; any potential material future impacts on the company’s operations and financial condition; whether the company has remediated or is currently remediating the incident; and any changes in the company’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes. If a series of undisclosed individually immaterial cybersecurity incidents become material in the aggregate, proposed Item 106 would also require companies to disclose: (i) when the incidents were discovered and whether they are ongoing; (ii) a brief description of the nature and scope of such incidents; (iii) whether any data was stolen or altered; (iv) the impact of such incidents on the company’s operations and the company’s actions; and (v) whether the company has remediated or is currently remediating the incidents.10
Disclosure of Governance and Oversight
Beyond material cybersecurity incidents, the proposed rules would also require enhanced and standardized disclosure of companies’ cybersecurity risk management, strategy, and governance.
New Item 106 of Regulation S-K would mandate disclosure, as applicable, of whether:
- The company has a cybersecurity risk assessment program and, if so, a description of such program;
- The company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
- The company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the company’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers, and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
- The company undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
- The company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
- Previous cybersecurity incidents have informed changes in the company’s governance, policies and procedures, or technologies;
- Cybersecurity related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition and, if so, how; and
- Cybersecurity risks are part of the company’s business strategy, financial planning, and capital allocation and, if so, how.
New Item 106 would further require disclosure of a company’s cybersecurity governance, including a board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, its relevant expertise, and its role in executing pertinent policies, procedures, and strategies.
The SEC is seeking comment on proposed new Item 106, including whether: (i) the rule should define “cybersecurity;” (ii) required disclosures could undermine cybersecurity defense efforts by highlighting a company’s lack of policies and procedures related to cybersecurity; and (iii) certain categories of public companies—such as smaller reporting or emerging growth companies—should be exempt from the proposed requirements.
Disclosure of Board of Directors’ Cybersecurity Expertise
Amended Item 407 of Regulation S-K would require disclosure in annual reports and certain proxy filings of cybersecurity expertise among members of the board of directors of a public company. If applicable, the disclosure would include the name(s) of any such director(s) and a description of the nature of their expertise. Significantly, the proposed rule states that identified board members would not be considered an “expert” for Section 11 purposes.
The SEC has asked for comment on, among other things, whether: (i) disclosure of the names of persons with cybersecurity expertise would deter such persons from serving on a board of directors; (ii) certain categories of public companies (such as smaller reporting or emerging growth companies) should be excluded from the proposed requirement; and (iii) a safe harbor should be adopted to clarify that directors identified as having cybersecurity expertise would not have any increased level of liability under federal securities laws as a result of such identification.
Time will tell whether the Proposal will remain fully intact following what is likely to be an active comment period. The public comment period will remain open until May 9, 2022, or 30 days following publication of the Proposal’s release in the Federal Register, whichever is later.
- The Four-Business Day Reporting Requirement Contains Nuance. Recognizing that businesses may need time to make a materiality determination, the four-business day deadline begins to run only after a company determines that it has experienced a “material cybersecurity incident.” That said, this Proposal would impose an increased burden on companies during what is likely a crisis situation. Advance preparation and established procedures may be vital to ensure counsel receives the information necessary to assess disclosure obligations. Companies should therefore review their disclosure controls and procedures associated with the timing and reporting of cyber incidents to ensure conformity with the four-business day reporting requirement.
- Public Companies May Expect an Increased Likelihood of SEC Action and/or Private Litigation. Given the malleable definition of “material,” public companies may expect heightened SEC scrutiny regarding when and how a company determines that it did or did not experience a “material cybersecurity incident.” Public companies may also expect an increased likelihood of investigations, fraud allegations, and litigation regarding management’s level of expertise, insider trading, and the status of a company’s cyber policies.
- Potential Disclosures Require Careful Consideration to Avoid Making Security Controls Available to Threat Actors. Because the proposed rules would require regular disclosure of policies and procedures for identifying and managing cybersecurity risks, companies will need to carefully consider the level at which disclosure can be made without endangering their cybersecurity programs.
- The Proposal Would Expand Disclosure Obligations, Causing Potential Duplication. The proposed rules would add another layer of disclosure requirements on top of existing federal and state disclosure obligations. The Proposing Release acknowledges the potential for duplicative disclosures, and as a result, the SEC seeks comment on this issue. Nonetheless, compliance costs will likely increase.
- Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11038; 34-94382; IC-34529; File No. S7-09-22 (Mar. 9, 2022).
- As noted in the Proposing Release, the terms “public companies,” “companies,” and “registrants” include issuers that are business development companies as defined in section 2(a)(48) of the Investment Company Act of 1940, but not those investment companies registered under that Act.
- See CF Disclosure Guidance: Topic No. 2 – Cybersecurity (Oct. 13, 2011).
- See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release Nos. 33-10459; 34-82746 (Feb. 26, 2018).
- See Amendments to Exchange Act Rule 3b-16 Regarding the Definition of “Exchange”; Regulation ATS for ATSs That Trade U.S. Government Securities, NMS Stocks, and Other Securities; Regulation SCI for ATSs That Trade U.S. Treasury Securities and Agency Securities, Release No. 34-94062; File No. S7-02-22 (Jan. 26, 2022).
- See Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Release Nos. 33-11028; 34-94197; IA-5956; IC-34497; File No. S7-04-22 (Feb. 9, 2022).
- Business development companies, as defined in section 2(a)(48) of the Investment Company Act of 1940, may also be subject to the proposed rules outlined in Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11038; 34-94382; IC-34529; File No. S7-09-22 (Mar. 9, 2022).
- The Proposal defines a “cybersecurity incident” as “an unauthorized occurrence on or conducted through a [company’s] information systems that jeopardizes the confidentiality, integrity, or availability of a [company’s] information systems or any information residing therein.”
- Regulation S-K (17 C.F.R. Part 229 (2022)) outlines reporting requirements for various SEC filings used by public companies.
- The Proposing Release contains minimal guidance on assessing when individually immaterial cybersecurity incidents become material in the aggregate. A single example describes a “malicious actor engag[ing] in a number of smaller but continuous cyber-attacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material, or both.”