SEC Proposes Rules Mandating Disclosure of Material Cybersecurity Incidents
On March 9, 2022, the U.S. Securities and Exchange Commission proposed amendments to its rules that would enhance and standardize disclosures related to cybersecurity risks and incidents, and would expand upon cybersecurity guidance issued by the Commission in 2018. Most notably, the proposed rules would require current disclosure of material cybersecurity incidents on Form 8-K within four business days after the company determines that it has experienced a material cybersecurity incident. The existing 2018 guidance will remain in place regardless of whether the Commission adopts the proposed amendments.
The goal of the proposed amendments is to better inform investors about a company’s risk management, strategy and governance, and to provide timely notification of material cybersecurity incidents.
We summarize the proposed rules below, but first provide some key takeaways:- The proposed rules are significant, but not a surprise. As noted above, it follows the 2018 cybersecurity guidance, as well as the SEC’s creation of a Cyber Unit in its Enforcement Division; numerous SEC enforcement actions over the last several years arising out of cyber-incidents, alleging insufficient disclosures and/or controls related to the incident; and a recent rule proposal regarding cybersecurity reporting by investment advisers and investment companies, discussed here.
- As with any disclosure issue, materiality is the linchpin. Only “material” cybersecurity incidents need to be disclosed, although the proposal provides little guidance on when an incident should be considered material.
- Moreover, even when a company determines an incident is, in fact, material, it may still be faced with a series of complicated and difficult decisions. The proposal requires the filing of a Form 8-K within four business days of that determination. If the proposal is adopted as proposed, sensitive disclosure issues may need to be resolved in a more compressed timeframe.
- Further, the four-business day filing deadline may lead to tension between the SEC and other parts of the government, including the cyber and intelligence arms of the Department of Justice. For example, particularly in an age of nation-state sponsored cyber-attacks, the prompt filing of a Form 8-K could provide a malicious actor with valuable, timely intelligence on the effectiveness of its cyberattack efforts.
- SEC Commissioner Hester Peirce dissented from the proposed rules, arguing that the proposal “flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us” and questioned whether “securities regulators are . . . best suited to design cybersecurity programs to be effective for all companies, in all industries, across time.” It will be interesting to see the extent to which these views are reflected in comments submitted during the public comment period.
- At bottom though, in light of the SEC’s continued focus on cyber disclosures and controls, public-company boards and management teams will need to evaluate their company’s disclosure controls and procedures to confirm that they are sufficiently designed to record, process, summarize and report to investors material information related to cybersecurity risks and incidents. The proposed cybersecurity rules may prompt companies to engage cybersecurity consultants, advisors or auditors and evaluate their existing relationships with third-party digital service providers.
Existing Cybersecurity Disclosure Requirements
The SEC issued interpretive guidance in 2018 to assist companies in determining when they may be required to disclose information regarding cybersecurity risks and incidents under existing disclosure rules. Importantly, this existing guidance will remain in place regardless of whether the Commission adopts the proposed amendments described below.
Reporting of Material Incidents on Form 8-K
The proposed amendments would add new Item 1.05 to Form 8-K to require that companies disclose information about a cybersecurity incident within four business days after the company determines that it has experienced a material cybersecurity incident.
Specifically, new Item 1.05 would require a company to disclose the following information about a material cybersecurity incident, to the extent the information is known at the time of the Form 8-K filing:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incident.
Definition of Cybersecurity Incident. In the proposing release, the Commission noted that the term “cybersecurity incident” should be construed broadly as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
Periodic Updates to Previously Reported Incidents on Forms 10-Q and 10-K
Proposed Item 106(d)(1) of Regulation S-K would require companies to disclose any material changes, additions or updates to the information required by Item 1.05 of Form 8-K on Forms 10-Q and 10-K for the period in which the material change, addition or update occurred. This would include any material information not known or disclosable at the time of the Form 8-K filing.
Separately, proposed Item 106(d)(2) would require disclosure of the information required by Item 1.05 of Form 8-K when a series of previously undisclosed individually immaterial cybersecurity incidents became material in the aggregate. Such incidents would need to be disclosed in the periodic report for the period in which a company has made a determination that they are material in the aggregate.
Cybersecurity Risk Management and Strategy Disclosures on Form 10-K
Proposed Item 106(b) of Regulation S-K would require companies to disclose their policies and procedures (if any) to identify and manage cybersecurity risks and threats.
Cybersecurity Governance Disclosures on Form 10-K
Proposed Item 106(c)(1) of Regulation S-K would require disclosure of a company’s cybersecurity governance, including the board’s role in overseeing cybersecurity risks.
Proposed Item 106(c)(2) would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures, and strategies.
Cybersecurity Expertise of Directors
Proposed Item 407(j) of Regulation S-K would require that companies disclose in their annual proxy statements and Form 10-Ks the cybersecurity expertise of members of the board of directors, if any. If any member of the board has cybersecurity expertise, then the company would have to disclose the name(s) of such director(s) and provide such detail as necessary to fully describe the nature of the expertise.
Public Comment Period
The SEC will accept comments on the issues raised in the proposing release until the later of (i) May 9, 2022 or (ii) 30 days after the release is published in the Federal Register.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.