SEC Proposes New Rules on Cybersecurity

On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed significant new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies. The proposal aligns with the SEC’s similar effort to revise cyber reporting obligations for investment advisors and funds and demonstrates that the SEC intends to play a more active role in cybersecurity. If adopted, the proposed rules will impose significant new obligations on public companies, including new current reporting requirements regarding material cybersecurity incidents, additional periodic disclosure requirements regarding cybersecurity incidents, risk management and governance, and Inline XBRL reporting. The proposed rules purport to target inconsistency in cybersecurity disclosure practices and seek to better and more timely inform investors about a registrant’s cybersecurity matters. The SEC's proposing release is available here.

The rules are open to public comment for 60 days following publication on the SEC’s website (March 9, 2022) or for 30 days following publication in the Federal Register, whichever is longer.  Consequently, the public comment period will run through at least May 9, 2022.

The SEC has proposed amendments to Form 8-K to add new Item 1.05, which would require registrants to disclose, to the extent known at the time of the Form 8-K filing, the following information about any material cybersecurity incident within four business days after the registrant determines that such incident is material:

• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the registrant’s operations; and
• Whether the registrant has remediated or is currently remediating the incident.

Not all cybersecurity events trigger a reporting requirement; only those that are material will require reporting on Item 1.05.  While the date of the registrant’s materiality determination may coincide with the date of discovery of an incident, the materiality determination may come after the discovery date. Instruction 1 to proposed Item 1.05 requires a registrant to make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.

Under the proposed rules, registrants would need to carefully assess whether a reasonable investor would conclude that the cybersecurity incident is material in light of the specific circumstances presented. As with the current materiality standard, information regarding a cybersecurity incident is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available to an investor. The SEC cautioned that a materiality analysis should not be a mechanical exercise—registrants would need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material. Even if the probability of an adverse consequence is relatively low, if the magnitude of the loss or liability is high, the incident may still be material. Doubts regarding the materiality of an incident are expected to be resolved in favor of disclosure. This will add another issue for companies to address when trying to respond and mitigate a data security incident.

An ongoing internal or external investigation would not on its own provide a basis for avoiding disclosure of a material cybersecurity incident under the proposed rules. Accordingly, even though certain state laws may permit a delay in public notice of a data breach if law enforcement determines the notification will impede a civil or criminal investigation, such conclusion will not excuse timely reporting of the incident on Form 8-K. The SEC does acknowledge, however, that it would not expect a registrant to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities if disclosure of those details would impede its response or remediation of the incident.

The following is a non-exclusive list of examples of cybersecurity incidents that may, if determined by the registrant to be material, trigger the proposed Item 1.05 disclosure requirement:

• An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network) or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
• An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
• An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant;
• An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
• An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

The proposed amendments contain corresponding amendments to Form 6-K for foreign issuers. The SEC has also proposed amendments to General Instruction I.A.3.(b) of Form S-3 and General Instruction I.A.2 of Form SF-3 to provide that an untimely filing on Form 8-K regarding proposed new Item 1.05 would not result in loss of Form S-3 or Form SF-3 eligibility.

Periodic Reporting Requirements About Cybersecurity Incidents

The SEC proposed additional updates to Forms 10-K and 10-Q and a new Item 106(d) of Regulation S-K to require disclosure of updates to previously reported cybersecurity incidents and disclosure of cybersecurity incidents that have become material in the aggregate. Corresponding updates were also made to Form 20-F to reflect requirements for foreign issuers.

Updates to Previously Reported Cybersecurity Incidents

New Item 106(d)(1) of the proposed amendments would require registrants to disclose any material changes, additions, or updates to information required to be disclosed pursuant to proposed Item 1.05 of Form 8-K in the applicable Form 10-Q or Form 10-K filed for the period in which the material change, addition, or update occurred. This disclosure requirement will continue for as long as there are material changes, additions, or updates regarding the previously-reported cybersecurity incident.

Additional disclosures that may need to be included as part of these updates include (i) any additional material information about the scope of the incident and whether any data was stolen or altered, and (ii) information about the effect of the previously reported cybersecurity incident on the registrant’s operations as well as a description of remedial steps it has taken, or plans to take, in response to the incident that were not available at the time of the initial Form 8-K filing. The SEC provided the following non-exclusive examples of the type of disclosure that a registrant should provide to update its incident disclosure in periodic reports, if applicable:

• Any material impact of the incident on the registrant’s operations and financial condition;
• Any potential material future impact on the registrant’s operations and financial condition;
• Whether the registrant has remediated or is currently remediating the incident; and
• Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident and how the incident may have informed such changes

While disclosure of material updates to previous Form 8-K disclosure would typically be permitted in a subsequent Form 10-Q or 10-K, the SEC noted that there may be situations where a registrant would need to file an amended Form 8-K where previous disclosure regarding a material cybersecurity incident becomes inaccurate or materially misleading as a result of subsequent developments regarding the incident. As an example, the SEC indicated that if the impact of a cybersecurity incident is determined after the initial Item 1.05 Form 8-K filing to be significantly more severe than previously disclosed, an amended Form 8-K may be required.

Disclosure of Cybersecurity Incidents that Have Become Material in the Aggregate

A new Item 106(d)(2) would additionally require registrants to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. If such incidents become material in the aggregate, a registrant would need to disclose the information required by proposed Item 1.05 of Form 8-K in the Form 10-Q or Form 10-K filed for the period in which the registrant has made a determination that they are material in the aggregate. The SEC highlighted that this could include, for example, instances of a number of smaller but continuous cyber-attacks by one malicious actor that are immaterial individually but material in the aggregate.  On the face of the proposed rule, even immaterial cybersecurity incidents that are unrelated to each other in type, manner, or threat actor could become material in the aggregate.

Disclosures Regarding Cybersecurity Risk Management, Strategy, and Governance

Proposed Item 106 of Regulation S-K would also require that a registrant provide disclosures in its Form 10-K describing information about the registrant’s cybersecurity risk management and strategy as well as its governance of cybersecurity risk, including the role and relevant expertise of management and the role of the registrant's board of directors in overseeing cybersecurity risk. The SEC has also proposed corresponding amendments to Form 20-F for foreign private issuers.

Cybersecurity Risk Management and Strategy

To provide more consistent disclosure and to facilitate greater transparency regarding a registrant’s management of cybersecurity risks, proposed Item 106(b) of Regulation S-K would require a registrant to disclose its policies and procedures, if any, to identify and manage cybersecurity risks and threats, including: operational risk; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk. Specifically, proposed Item 106(b) of Regulation S-K would require disclosure, as applicable, of whether:

• The registrant has a cybersecurity risk assessment program and, if so, a description of such program;
• The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
• The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the registrant uses to mitigate cybersecurity risks related to these providers;
• The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
• The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
• Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;
• Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and
• Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how.

Board’s Role in Overseeing Cybersecurity Risk

In new Item 106(c)(1) of Regulation S-K, the SEC would require disclosure about the board’s responsibility for overseeing cybersecurity risks to the registrant. These disclosures would require a discussion of the following, as applicable:

• Whether the entire board of directors, specific board members, or a board committee is responsible for the oversight of cybersecurity risk;
• The processes by which the board is informed about cybersecurity risks, and the frequency of its discussion on the topic; and
• Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

Management’s Role in Managing Cybersecurity Risk

In new Item 106(c)(2) of Regulation S-K, the SEC would require disclosure of management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures, and strategies.  Specifically, the information required to be described would include, but not be limited to, the following:

• Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents and the relevant expertise of such persons or members;
• Whether the registrant has a designated chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart and the relevant expertise of any such persons;
• The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
• Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.

Additional Disclosure of Board Cybersecurity Expertise

The SEC additionally proposed to add a new Item 407(j) of Regulation S-K to require disclosure about the cybersecurity expertise of members of a registrant’s board of directors. If any member of the board has cybersecurity expertise, the registrant would be required to disclose the names of any such directors and provide such detail as necessary to fully describe the nature of the expertise. The new disclosure, if adopted, would be required in a registrant’s proxy statement (or information statement) when action is being taken with respect to the election of directors and in Part III of Form 10-K (subject to proxy statement incorporation as permitted by current rules). The SEC proposed corresponding amendments to Form 20-F for foreign private issuers.

Proposed Item 407(j) does not define what constitutes “cybersecurity expertise,” but rather includes the following non-exclusive list of criteria that a registrant should consider in reaching a determination on whether a director has expertise in cybersecurity:

• Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
• Whether the director has obtained a certification or degree in cybersecurity; and
• Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.

The proposed rule provides that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act of 1933, as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407. This proposed safe harbor is intended to clarify that the identification would not impose on such person any duties, obligations, or liability that are greater than the duties, obligations, and liability imposed on such person as a member of the board of directors in the absence of such designation or identification. The SEC further clarified that the identification of a cybersecurity expert would not decrease the duties and obligations or liability of other board members. 

XBRL Requirements

Under the amended rules, registrants are required to tag the information specified by Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K in Inline XBRL in accordance with Rule 405 of Regulation S‑T and the EDGAR Filer Manual. The proposed requirements would include block text tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed within the narrative disclosures.

Suggested Actions in Preparation for Final Rules

In anticipation of the SEC’s adoption of final cybersecurity rules, companies should consider the following actions:   

• Assess the company’s current disclosure controls and procedures to enhance, if needed, the review of cybersecurity incidents to ensure decisions regarding materiality are incorporated into incident response plans and are made as soon as reasonably practicable and that appropriate information regarding those incidents is communicated on a timely basis to those individuals responsible for the company’s public disclosures;   
• Review the company’s cybersecurity policies and procedures and related incident response plans and consider whether changes or enhancements are appropriate to strengthen the company’s management of cybersecurity risks and to address potential future disclosure requirements regarding those policies and procedures;
• Formalize any informal cybersecurity practices in preparation for potential future disclosure requirements regarding the company’s cybersecurity risk management policies and procedures;
• Assess and, if necessary, formalize the role of the board and each board committee in overseeing cybersecurity risk; and
• Assess the current cybersecurity expertise of each of the company’s board of directors and consider any necessary board refreshment needs.

As there are many items in the proposed rule that could benefit from additional clarity or that would be impractical to implement, companies should take advantage of the public comment period to provide substantive feedback to the SEC.