SEC proposes rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies
On 9 March 2022, the US Securities and Exchange Commission (SEC) proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. These rules are intended to enhance and standardize cybersecurity disclosures, and, if adopted in their current form, would require public companies to disclose cybersecurity-related policies, procedures and all material cybersecurity incidents.
- On 9 March 2022, the SEC proposed new disclosure requirements related to cybersecurity risk management, strategy, governance, and incident reporting.
- Under the proposed rules, public companies would be required to file a report on Form 8-K within four business days of determining that a cybersecurity incident was material and would be required to report material changes as a result of the incident.
- Public companies should consider updating or adopting cybersecurity policies and procedures, as the proposed rules would require disclosure of such policies and governance practices surrounding their implementation.
Incident reporting requirements
Current incident reporting (Item 1.05 of Form 8-K)
The proposed rules would create a new reporting obligation on material cybersecurity incidents. In content and substance, this obligation is similar to US state data breach notification laws. Unlike data breach notification laws, however, a cybersecurity incident can be considered material even if it does not impact personal data. For example, an unauthorized party accessing, or exceeding authorized access, and altering, or stealing sensitive business information, intellectual property, or information that resulted, or may result, in a loss or liability for the company would be a material cybersecurity incident under the proposed rules, even though no personal data was affected.
In the proposed new Item 1.05 of Form 8-K, public companies would be required to provide specific information within four business days of determining that a material cybersecurity incident had occurred. Public companies would have to determine materiality as soon as reasonably practicable after the discovery of the incident. Some state data breach notification laws allow entities to delay notification to the relevant authorities in order to avoid impeding with a law enforcement investigation. The SEC, however, explicitly distinguishes this reporting obligation by stating that in “a situation in which a state law delay provision would excuse notification, there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law”.
To the extent known at the time of the filing, public companies would be required to provide particular information about the material cybersecurity incident, including:
- The date the incident was discovered, and if the incident remains live.
- The nature and scope of the incident.
- If any data was stolen, altered, accessed, or used for any other unauthorized purpose.
- The impact of the incident on company operations.
- If the incident has been remediated or is in the process of being remediated.
The SEC does clarify it does not expect public companies to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems. Notably, the proposed rules do not include a definition of materiality as it relates to cybersecurity incidents.
Periodic incident reporting (Forms 10-K and 10-Q)
Because the Form 8-K disclosure requirement, if adopted, will lead to reports with incomplete information about a material cybersecurity incident, proposed Item 106(d)(1) of Regulation S-K would require public companies to disclose any material changes, additions, or updates to prior cybersecurity incidents in periodic reports.
Some examples of a material change include becoming aware of additional information, such as learning more about the scope of the incident or whether data was somehow altered, and any material impact of the incident on the public company’s operations and financial condition.
The SEC also recognizes that incidents previously considered immaterial may become material in the aggregate, triggering a reporting obligation. Proposed Item 106(d)(2) would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. Public companies will need to analyze related cybersecurity incidents for materiality, both individually and in the aggregate.
Cybersecurity policies and procedures
In addition to the disclosures regarding cybersecurity incidents, the SEC’s proposed Item 106 of Regulation S-K would require public companies to describe any policies and procedures in place to identify and manage cybersecurity risks in great detail. The SEC’s proposed rules suggest public companies should disclose whether cybersecurity policies or procedures play a role in the company’s financial planning, capital allocation and business strategy. Any mechanisms the company has in place to mitigate cybersecurity risks that arise from third-party interactions or access to company data would be disclosed as well.
Board involvement in cybersecurity
As part of the proposed disclosure regarding a company’s policies and procedures, the SEC focused on disclosures related to the role governance plays in protecting against cybersecurity incidents. Proposed Item 106 of Regulation S-K would require public companies to disclose details about the board’s oversight of cybersecurity risk, including disclosure about how frequently the board discussed its cybersecurity incidents, policies and procedures.
The disclosures under proposed Item 106 of Regulation S-K would require public companies to discuss management’s role in assessing and managing cybersecurity risks and implementing the company’s cybersecurity policies and procedures as well. Under the proposed rules, companies would be required to disclose whether or not they have a Chief Information Security Officer, as well as that person’s background and expertise.
This rulemaking represents proposals by the SEC and the Commission is currently seeking public comment. The comment period for this rule proposal will be open for 60 days from the date on which the proposal appears in the Federal Register. Once comments are received, the SEC will consider those comments prior to issuing a final rule.
The SEC’s proposed rules include an amendment to Item 407 of Regulation S-K that would require annual reporting or proxy disclosure about the board of directors’ cybersecurity expertise if any. Specifically, proposed amendments to Item 407(j) would require public companies to disclose the names of any directors with expertise in cybersecurity and detail the nature of their expertise.
To read the full provisions of the proposed requirements, click here. If you have any questions about potentially commenting on this rule proposal, or about any public company, financial services rule, or privacy or cybersecurity law, please contact your Baker McKenzie lawyers.