SEC Proposes to Expand Public Companies’ Cybersecurity Disclosure Obligations
The SEC voted 3–1 on March 9, 2022 to propose rule amendments (Proposed Rules) designed to provide investors with enhanced information to evaluate both a registrant’s exposure to cybersecurity risks and incidents and the registrant’s ability to manage and mitigate them. The Proposed Rules come on the heels of the SEC’s recent proposals1 concerning cybersecurity risk management for registered investment advisers and registered investment companies and are the latest demonstration of the SEC’s shift in recent months toward a more aggressive cybersecurity enforcement approach. They also follow the recent enactment of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will obligate organizations operating in critical infrastructure sectors to report certain cyber incidents and related ransom payments to the federal government.
Currently, neither Regulation S-K nor Regulation S-X explicitly refers to cybersecurity risks or incidents. In 2011 and again in 2018, however, in light of the increasing significance of cybersecurity matters, the SEC issued interpretive guidance on the application of existing disclosure and other requirements under the federal securities laws to cybersecurity risks and incidents.2 In the new proposing release, the SEC observed that, since the issuance of such guidance, disclosures of both material cybersecurity incidents and cybersecurity risk management and governance have improved, but such reporting is inconsistent, may not be timely and can be difficult to locate. As a result, the SEC concluded that investors would benefit from enhanced regulatory requirements for cybersecurity risk disclosures that, as SEC Chair Gary Gensler said in his statement on the Proposed Rules, provide information in a “consistent, comparable, and decision-useful manner.”
The Proposed Rules would, among other things, require: (i) current reporting about material cybersecurity incidents, (ii) updates about previously reported cybersecurity incidents in periodic reports and (iii) periodic disclosures regarding a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, the board of directors’ cybersecurity expertise, if any, and the board’s oversight of cybersecurity risk. Comments on the Proposed Rules are due on the later of May 9, 2022 or 30 days after their publication in the Federal Register.
I. Material Cybersecurity Incident Disclosures and Updates
Proposed Item 1.05 of Form 8-K would require a registrant to disclose the following information within four business days after determining that it has experienced a material cybersecurity incident: (i) when the incident was discovered and whether it is ongoing, (ii) a brief description of the nature and scope of the incident, (iii) whether any data was stolen, altered, accessed, or used for any other unauthorized purpose, (iv) the effect of the incident on the company’s operations; and (v) whether the company has remediated or is currently remediating the incident. Importantly, the timing for disclosure would be tied to the determination of materiality of the incident, which may be made after the date of the initial discovery.3 Registrants would be obligated to make this materiality determination as soon as reasonably practicable after discovery of the incident. Such a determination must be consistent with relevant case law, which provides that information is material where “there is a substantial likelihood that a reasonable shareholder would consider it important”4 in making an investment decision or if it would have “significantly altered the ‘total mix’ of information made available.”56 In determining materiality, an incident should be viewed from a reasonable investor’s perspective in light of the specific circumstances of the incident.
The Proposed Rules include a non-exclusive list of examples of cybersecurity incidents that, if determined to be material, would trigger 8-K disclosure, including incidents that: (i) compromise the confidentiality, integrity or availability of information assets, (ii) cause damage or loss of control of operational technology systems, (iii) result in access to or alteration of sensitive business or personal information, and (iv) involve ransomware.
Under the Proposed Rules, a registrant may not delay reporting based on the existence of an ongoing internal or external investigation related to the cybersecurity incident. This marks a notable distinction between the Proposed Rules and state-level data breach notification statutes that allow companies to delay public notice and/or individual notice of an incident where law enforcement determines notification will impede a civil or criminal investigation. In the proposing release, the SEC noted that, “on balance, it is our current view that the importance of timely disclosure of cybersecurity incidents for investors would justify not providing for a reporting delay.” However, untimely filing under Item 1.05 would not result in loss of Form S-3 or SF-3 eligibility.7
Proposed Item 106(d) of Regulation S-K would require registrants to disclose any material changes, additions or updates to previously disclosed information under Item 1.05 of Form 8-K in the registrant’s Form 10-Q or Form 10-K for the period (the registrant’s fourth fiscal quarter in the case of an annual report) in which the material change, addition or update occurred. The Proposed Rules include non-exclusive examples of the types of disclosures that should be provided, if applicable. Additionally, the Proposed Rules would require registrants to disclose, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. These requirements underscore the importance of a registrant’s ongoing, longitudinal assessment of previous cybersecurity incidents, taking into account current conditions, observations and developments.
The SEC has invited comment on numerous aspects of the incident reporting proposals, including whether: (i) incident reporting obligations might create conflicts with respect to other federal or state law reporting obligations, (ii) the final rules should provide more detailed instructions on when materiality determinations must be made to sufficiently mitigate the risk of determination delays and (iii) the proposed Item 1.05 disclosures or their timing could unintentionally put registrants at additional risk of future cybersecurity incidents.
II. Cybersecurity Risk Management, Strategy and Governance Disclosures
Cybersecurity Risk Management and Strategy
The Proposed Rules would amend Form 10-K to require a registrant to provide the following disclosures specified in proposed Regulation S-K Item 106(b), as applicable:
- Whether it has a cybersecurity risk assessment program, and if so, a description thereof.
- Whether it engages third parties, including any assessors, consultants, or auditors, in connection with any cybersecurity risk assessment program.
- Whether it has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the company’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers.
- Whether it undertakes activities to prevent, detect and minimize effects of cybersecurity incidents.
- Whether it has business continuity, contingency and recovery plans in the event of a cybersecurity incident.
- Whether previous cybersecurity incidents have informed changes in its governance, policies and procedures, or technologies.
- Whether cybersecurity-related risks and incidents have affected or are reasonably likely to affect its results of operations or financial condition and if so, how.
- Whether cybersecurity risks are considered as part of its business strategy, financial planning and capital allocation, and if so, how.
Proposed Regulation S-K Item 106(c) would amend Form 10-K by requiring a discussion, as applicable, of the following issues:
- Whether the entire board of directors, specific board members or a board committee is responsible for cybersecurity risk oversight;
- The processes by which the board is informed about cybersecurity risks and the frequency of discussions on this topic;
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight;
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk (specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents), as well as the relevant expertise of such persons;
- Whether the registrant has designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports, and the relevant expertise of any such persons;
- The processes by which such persons are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
- Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
The SEC has requested comment on various aspects of these proposals, including proposed definitions, as well as whether registrants should be required to specify whether cybersecurity experts relied upon are provided through an internal function or a third-party service provider.
III. Board Cybersecurity Expertise Disclosures
The Proposed Rules would amend Regulation S-K Item 407 to require a description of the cybersecurity expertise of members of the board of directors, if any. If a board member has such expertise, the company would be required to disclose the name(s) of the director(s) and description of the nature of the expertise. The Proposed Rules do not define what constitutes “cybersecurity expertise” but do include a non-exhaustive list of criteria a registrant should consider when determining whether a director has such expertise, including whether the director has (i) prior work in cybersecurity, (ii) obtained a certification or degree in cybersecurity, or (iii) knowledge, skills or other background in cybersecurity.
The SEC has requested comment on numerous aspects of the board expertise proposals, including whether a registrant should be required to state explicitly when it does not have a board member with cybersecurity expertise, and whether specific disclosures regarding the nature of a board member’s expertise should be required.
IV. Foreign Private Issuers (FPIs)
The Proposed Rules would amend Form 6-K to reference material cybersecurity incidents among the items that would trigger a current report on Form 6-K if the requirements for disclosure on such form are met. As with proposed Item 1.05 of Form 8-K, the proposed change to Form 6-K is intended to provide timely cybersecurity incident disclosure in a manner that is consistent with the general purpose and use of Form 6-K. Form 20-F would be amended to require cybersecurity disclosures for FPIs that are consistent with proposed requirements for domestic forms discussed above. With respect to incident disclosure, where an FPI has previously reported an incident on Form 6-K, the Proposed Rules would require an update regarding such incidents, consistent with proposed S-K Item 106(d)(1). Form 20-F would also be amended to require FPIs to disclose on an annual basis information regarding any previously undisclosed material cybersecurity incidents that have occurred during the reporting period, including a series of previously undisclosed individually immaterial cybersecurity incidents that has become material in the aggregate.
The Proposed Rules would not apply to Form 40-F filers, although the SEC has solicited comment on whether this exemption should be retained.
V. Inline XBRL Tagging
The Proposed Rules would require registrants to tag the new disclosures in Inline XBRL, including block text tagging of narrative disclosures, and detail tagging of quantitative amounts.
VI. Key Takeaways
The Proposed Rules, if adopted as is, could require significant and costly adjustments by public companies. Companies will likely need to enhance their incident response plans to ensure timely evaluations of the materiality of cybersecurity incidents under the aggressive proposed four-day timeline. Companies will also need to undertake an evaluation of the cybersecurity risk assessment capabilities of both management and directors and make affirmative disclosures if they don’t meet the criteria. And most if not all reporting companies will need to create a new section of their Annual Reports on Form 10-K to describe the inner workings of their risk management systems as they pertain to cybersecurity than has previously been sought by the SEC in any other area of a company’s operation. Taken as a whole, these proposals increase the likelihood that there could be more enforcement actions based on untimely disclosures and inadequate controls related to cybersecurity incidents.
The public comment period provides companies with a way to provide meaningful input to the SEC on how to make the proposed rules more achievable, meaningful and effective to their company. Parties interested in assistance with submitting comments to the SEC are encouraged to contact any of this Advisory’s authors or their Arnold & Porter contact(s).
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
You can read more about the proposal for registered investment advisers and registered investment companies in our Advisory, SEC Proposes to Expand Cybersecurity Obligations of Registered Investment Advisers and Registered Funds.
“Cybersecurity incident” would be defined as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
The Proposed Rules would also amend Rules 13a-11(c) and 15d-11(c) under the Securities Exchange Act of 1934 to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under such Act.