In remarks in January before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler addressed cybersecurity under the securities laws. (See this PubCo post.) Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. In addition, he said, it’s a national security issue. Gensler reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. (As reported by the NYT, that has been especially true in recent weeks, where “the war in Ukraine is stress-testing the system.”) And today, according to Corp Fin Director Renee Jones, in light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, that’s more true than ever, with escalating cybersecurity risk affecting just about all reporting companies. Given the recent consternation over hacks and ransomware, as well as the rising potential for cyberattacks worldwide, it should come as no surprise that the SEC voted today, by a vote of three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” While threats have increased in number and complexity, Jones said, currently, company disclosure is not always decision-useful and is often inconsistent, not timely and hard for investors to find. What’s more, some material incidents may not be reported at all. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, “[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs….Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks….I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
As described in the fact sheet the proposal would:
- “Require current reporting about material cybersecurity incidents on Form 8-K;
- Require periodic disclosures regarding, among other things:
- A registrant’s policies and procedures to identify and manage cybersecurity risks;
- Management’s role in implementing cybersecurity policies and procedures;
- Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents; and
- Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).”
Of course, the SEC’s concerns about cybersecurity disclosure are not new. In 2018, the SEC adopted long-awaited guidance on cybersecurity disclosure. The guidance addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The guidance built on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding, in particular, new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. (See this PubCo post.) Moreover, although there were improvements in disclosure following release of the guidance, concern has been mounting that company responses to that guidance have been inconsistent, not comparable and not decision-useful. The proposed amendments are intended to “better inform investors” about public companies’ “risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents. Consistent, comparable, and decision-useful disclosures would allow investors to evaluate registrants’ exposure to cybersecurity risks and incidents as well as their ability to manage and mitigate those risks and incidents.”
The SEC’s proposal
As described in the fact sheet, the proposal would “amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident.” Similarly, the proposal would amend Form 6-K to add “cybersecurity incidents” as a reporting topic. At the meeting, Commissioner Allison Herren Lee raised the issue here of whether a company’s determination of materiality was really the right trigger for commencement of the four-day timeframe or whether it might not be preferable to start the clock at the date of discovery or some other more defined time to mitigate the risk of a lengthy materiality determination. She also asked whether there was an adequate definition of a “material cybersecurity incident.” On the other side, Commissioner Hester Peirce viewed the incident reporting provision as “properly rooted in materiality,” and constructed to “afford companies the necessary flexibility to get their arms around the magnitude of a cybersecurity incident before the four-day disclosure clock begins to run.”
Under the proposal, a new Item 106(d) would be added to Reg S-K (and Item 16J(d) of Form 20-F) to require companies to update their disclosures about prior reported cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.
Periodic disclosure regarding risk management, strategy and governance
In addition, the proposal would require “enhanced and standardized disclosure” regarding companies’ “cybersecurity risk management, strategy, and governance.” The proposal would add two new disclosure provisions. First, the proposal would add Item 106 to Reg S-K (and Item 16J of Form 20-F) to require companies to describe their policies and procedures for identifying and managing risks related to cybersecurity threats, including whether, and if so, how, the company takes into account cybersecurity risks as part of the its business strategy, financial planning and capital allocation. Item 106 would also require disclosure about the company’s cybersecurity governance, including board oversight of cybersecurity risk (such as whether and how the board committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight) and how the board is informed about cybersecurity risk; and management’s role in assessing and managing cybersecurity risk and in implementing the company’s cybersecurity policies, procedures and strategies, including management’s expertise in the “prevention, mitigation, detection, and remediation of cybersecurity incidents.”
Second, the proposal would amend Item 407 of Reg S-K (and Form 20-F ) to require disclosure regarding the cybersecurity expertise of any board members. The disclosure would be required in annual reports and proxy statements for the election of directors.
At the open meeting
Peirce dissented. In her statement, Peirce contended that the proposal exceeded the SEC’s limited role, “flirt[ing] with casting us as the nation’s cybersecurity command center, a role Congress did not give us.” In her view, the proposal goes beyond regulating companies’ disclosures. Rather, while the proposed rules are
“couched in standard disclosure language, guides companies in substantive, if somewhat subtle, ways. First, the governance disclosure requirements embody an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies. First, the proposal requires issuers to disclose the name of any board member who has cybersecurity expertise and as much detail as necessary to fully describe the nature of the expertise. Second, the proposal requires issuers to disclose whether they have a chief information security officer, her relevant expertise, and where she fits in the organizational chart. Third, the proposal requires granular disclosures about the interactions of management and the board of directors on cybersecurity, including the frequency with which the board considers the topic and the frequency with which the relevant experts from the board and management discuss the topic.”
To Peirce, these prescriptive disclosure rules resemble “a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate.” (Of course, this type of disclosure requirement is not a new invention and was described by the late Marty Dunn as “regulation by humiliation” back when he was at the SEC.) Although SOX required disclosure regarding audit committee expertise, Peirce said, that was mandated by Congress and was at least “directly related to the reliability of the financial statements at the heart of our disclosure system.” This proposal goes beyond that by “requiring detailed disclosure about discrete subject matter expertise of directors and employees who are not necessarily executive officers or significant employees, and about the frequency of interactions between the board and management on a specific topic. While the integration of cybersecurity expertise into corporate decision-making likely is a prudent business decision for nearly all companies, whether, how, and when to do so should be left to business—not SEC—judgment.”
She also viewed the proposed requirement to disclose cybersecurity policies and procedures as, again, more than a disclosure requirement, but instead an attempt to “pressure companies to consider adapting their existing policies and procedures to conform to the Commission’s preferred approach, embodied in eight specific disclosure items.” These detailed disclosure obligations, she contended, “will have the undeniable effect of incentivizing companies to take specific actions to avoid appearing as if they do not take cybersecurity as seriously as other companies.” But, in Peirce’s view, that is a subject “best left to the company’s management to figure out in view of its specific challenges, subject to the checks and balances provided by the board of directors and shareholders.”
While she thought the incident reporting provisions might be unnecessary in light of existing guidance, she at least considered the proposed rules to be “sensible guideposts for companies to follow in reporting material cybersecurity incidents.” However, she was concerned that proposal was “unduly dismissive of the need to cooperate with, and sometimes defer to, our partners across the federal government and state government,” identifying, for example, the absence of the availability of temporary relief in the event that law enforcement agencies believed that a delay in disclosure would facilitate recovery of stolen funds or detection of perps.
In his statement, Gensler described the proposed rulemaking as part of a natural progression of disclosure requirements in response to evolving risks:
“We’ve been requiring disclosure of important information from companies since the Great Depression. The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis. Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.”
All of this data that companies and others collect, he adlibbed, was akin to a “honey pot” for malefactors, and, as a result, cybersecurity incidents “happen a lot. They can have significant financial, operational, legal, and reputational impacts on public issuers.” Although many companies already provide some cybersecurity disclosure, Gensler believes that this disclosure would benefit both companies and investors “if this information were required in a consistent, comparable, and decision-useful manner.”
Lee, whose statement, as of this writing, has not yet been posted (so my notes will have to do), began by highlighting our increased reliance on digital technology—as evidenced by the open meeting held virtually today. Along with that growth has come an increase in prevalence of cyberattacks. These attacks, she said, have not just compromised personal information or disrupted individual business, but they also have the potential to create market-wide instability. Since the issuance of prior guidance, these risks have increased, along with concerns about under-reporting—inadequate and untimely disclosure that is short on detail. The proposed rules are intended to address these issues.
Commissioner Caroline Crenshaw observed that CEOs “have identified cybersecurity as the number one threat to business growth in the coming years. Experts have provided Congressional testimony that cyber threats are among the most significant strategic risks to our national security, economic prosperity, and public health and safety.…Further, the sophistication and frequency of cyberattacks have increased. And that increase has imposed corresponding economic harms and increased expenses on companies, and their investors.” She viewed the proposal as “an important step forward in addressing this growing and ever-present risk.”