[This post revises and updates my earlier post primarily to reflect the contents of the proposing release.]
At an open meeting last week, the SEC voted, three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” At the meeting, SEC Corp Fin Director Renee Jones said that, in today’s digitally connected world, cyber threats and incidents pose an ongoing and escalating threat to public companies and their shareholders. In light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, cybersecurity risk is affecting just about all reporting companies, she continued. While threats have increased in number and complexity, Jones said, currently, company disclosure about cybersecurity is not always decision-useful and is often inconsistent, not timely and sometimes hard for investors to locate. What’s more, some material incidents may not be reported at all. The SEC’s proposal is intended to provide meaningful and decision-useful information to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, “[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs….Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks….I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” Notably, the proposal is quite prescriptive, with a number of multi-part bullet point disclosure requirements, just the sort of thing to elicit a dissent from Commissioner Hester Peirce. The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
As described in the fact sheet, the proposal would:
- “Require current reporting about material cybersecurity incidents on Form 8-K;
- Require periodic disclosures regarding, among other things:
- A registrant’s policies and procedures to identify and manage cybersecurity risks;
- Management’s role in implementing cybersecurity policies and procedures;
- Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents; and
- Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).”
Here are the rule proposal and the press release.
Of course, the SEC’s concerns about cybersecurity disclosure are not new. In 2018, the SEC adopted guidance on cybersecurity disclosure that addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The guidance built on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding, in particular, new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. (See this PubCo post.) Moreover, although there were improvements in disclosure following release of the guidance, concern has been mounting that company responses to that guidance have been inconsistent, not comparable and not decision-useful. The proposed amendments are intended to “better inform investors” about public companies’ “risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents. Consistent, comparable, and decision-useful disclosures would allow investors to evaluate registrants’ exposure to cybersecurity risks and incidents as well as their ability to manage and mitigate those risks and incidents.”
The SEC’s proposal
The SEC’s proposal would require disclosure of material cybersecurity incidents in current and periodic reports. In addition, the proposal would require disclosure in periodic reports of policies and procedures to identify and manage cybersecurity risk, including the impact of cybersecurity risks on strategy; management’s role and expertise in implementing the company’s cybersecurity policies, procedures and strategies; and the board of directors’ oversight role and cybersecurity expertise, if any.
Reporting of cybersecurity incidents on Form 8-K
To address concerns that material cybersecurity incidents are not being reported on a timely basis (or not being reported at all), the SEC is proposing to require companies to disclose material cybersecurity incidents on Form 8-K within four business days after they have determined that they have experienced a material cybersecurity incident. New Item 1.05 would require companies to disclose, to the extent known at the time of filing,
- “When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incident.”
(Similarly, the proposal would amend Form 6-K to add “cybersecurity incidents” as a reporting topic.) The reporting company would not be expected to disclose “specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”
The SEC selected the company’s determination of materiality as the trigger—rather than the date of discovery of the incident—to focus the disclosure on material incidents, but the SEC expects companies “to be diligent in making a materiality determination in as prompt a manner as feasible.” To deter delays in making that determination for the purpose of avoiding disclosure, Instruction 1 to proposed Item 1.05 provides that “a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.” At the SEC’s open meeting, Commissioner Allison Herren Lee raised the issue of whether a company’s determination of materiality was really the right trigger for commencement of the four-day timeframe or whether it might not be preferable to start the clock at the date of discovery or some other more defined time to mitigate the risk of a lengthy materiality determination. On the other side, Peirce viewed the incident reporting provision as “properly rooted in materiality,” and constructed to “afford companies the necessary flexibility to get their arms around the magnitude of a cybersecurity incident before the four-day disclosure clock begins to run.”
What is a “material cybersecurity incident”? For a definition of “materiality,” for this purpose, the SEC referred to significant caselaw, such as TSC Industries and Basic v. Levinson: “Information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the total mix of information made available.’ In articulating this materiality standard, the Supreme Court recognized that ‘[d]oubts as to the critical nature’ of the relevant information ‘will be commonplace.’ But ‘particularly in view of the prophylactic purpose’ of the securities laws, and ‘the fact that the content’ of the disclosure ‘is within management’s control, it is appropriate that these doubts be resolved in favor of those the statute is designed to protect,’ namely investors.” Companies will need to evaluate all relevant facts and circumstances. Even if the probability of an adverse consequence is relatively low, the SEC cautions, “if the magnitude of the loss or liability is high, the incident may still be material; materiality ‘depends on the significance the reasonable investor would place on’ the information.” Accordingly, companies will need to assess the materiality of the incident “in light of the specific circumstances presented by applying a well-reasoned, objective approach from a reasonable investor’s perspective based on the total mix of information.”
The release indicates that definitions of terms proposed in new Reg S-K Item 106(a) would also apply to Item 1.05 8-K (although only the definition of “cybersecurity incident” is expressly referred to in proposed Item 1.05):
- “Cybersecurity incident means an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
- Cybersecurity threat means any potential occurrence that may result in, an unauthorized effort to adversely affect the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
- Information systems means information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.”
Although, at the open meeting, Lee raised the question of whether the proposal provided an adequate definition of “material cybersecurity incident,” according to the release, the SEC believes “cybersecurity incident” is “sufficiently understood and broad enough to encompass incidents that could adversely affect a registrant’s information systems or information residing therein, such as gaining access without authorization or by exceeding authorized access to such systems and information that could lead, for example, to the modification or destruction of systems and information.” The SEC advises that the term “cybersecurity incident…should be construed broadly” and could result from “an accidental exposure of data, a deliberate action or activity to gain unauthorized access to systems or to steal or alter data, or other system compromises or data breaches.”
Notably, a company’s “information systems” is proposed to include “information resources owned or used by the registrant.” [Emphasis added.] Among the questions on which the SEC is requesting comment is whether companies would “be reasonably able to obtain information to make a materiality determination about cybersecurity incidents affecting information resources that are used but not owned by them” and whether there should be “a safe harbor for information about cybersecurity incidents affecting information resources that are used but not owned by a registrant.”
To give us a flavor of the type of incident that the SEC has in mind, the SEC provided five examples of cybersecurity incidents that could trigger disclosure, if determined to be material:
- “An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
- An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
- An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant;
- An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
- An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.”
The proposal would not allow a delay in reporting because of an ongoing internal or external investigation related to the cybersecurity incident. While a delay might affect the specifics of the disclosure, it would not provide a basis for delaying disclosure, which, given that investigations may be long and extensive, could undermine the purpose of the requirement. Although a delay might facilitate a law enforcement investigation, on balance, the SEC believes that “the importance of timely disclosure of cybersecurity incidents for investors would justify not providing for a reporting delay.” Notably, referring to the unavailability in the proposal of temporary relief to accommodate law enforcement agencies seeking to recover stolen funds or detect perps, Peirce’s dissenting statement expressed concern that proposal was “unduly dismissive of the need to cooperate with, and sometimes defer to, our partners across the federal government and state government.” The SEC does request comment on whether a delay should be permitted “where the Attorney General requests such a delay from the Commission based on the Attorney General’s written determination that the delay is in the interest of national security.”
The SEC is also proposing to amend Form S-3 (and Form SF-3) to provide that an untimely Item 1.05 filing on Form 8-K would not result in loss of Form S-3 (or Form SF-3) eligibility. Under the proposal, the SEC would also amend Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 in the event that a company fails to file an Item 1.05 report. The safe harbor is intended to protect companies in circumstances where the triggering event for the Form 8-K requires management to make a rapid materiality determination, which could be the case in some circumstances here, the SEC concluded.
Disclosure about cybersecurity incidents in periodic reports
Updates to previously filed Form 8-K disclosure
Under the proposal, a new Item 106(d)(1) would be added to Reg S-K to require companies to disclose any material changes, additions or updates to information reported in their Item 1.05 8-Ks. The disclosure would be required in the 10-Q or 10-K for the period in which the material change, addition or update occurred. This aspect of the proposal recognizes that a company “may not have complete information about a material cybersecurity incident at the time it determines the incident to be material,” and would provide a mechanism for shareholders to stay apprised of new developments. New developments might include information about the impact of the incident or remedial actions taken or planned, such as:
- “Any material impact of the incident on the registrant’s operations and financial condition;
- Any potential material future impacts on the registrant’s operations and financial condition;
- Whether the registrant has remediated or is currently remediating the incident; and
- Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.”
Note, however, that an amended Form 8-K may be required in some circumstances, such as when the 8-K becomes “inaccurate or materially misleading as a result of subsequent developments regarding the incident. For example, if the impact of the incident is determined after the initial Item 1.05 Form 8-K filing to be significantly more severe than previously disclosed, an amended Form 8-K may be required.”
Disclosure of cybersecurity incidents that have become material in the aggregate
Under proposed S-K Item 106(d)(2), disclosure would be required “when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.” An example provided is when “one malicious actor engages in a number of smaller but continuous cyber-attacks related in time and form against the same company.”
In that event, companies would need to disclose, to the extent known to management,
- “A general description of when the incidents were discovered and whether they are ongoing;
- A brief description of the nature and scope of the incidents;
- Whether any data was stolen or altered in connection with the incidents;
- The effect of the incidents on the registrant’s operations; and
- (v) Whether the registrant has remediated or is currently remediating the incidents.”
Note that, although this item does not expressly state that it is triggered by a “determination of materiality” by the company, but rather when a series of incidents “has become material in the aggregate,” the text of the release indicates that the “incidents would need to be disclosed in the periodic report for the period in which a registrant has made a determination that they are material in the aggregate.”
Disclosure of risk management, strategy and governance regarding cybersecurity risks
Corp Fin staff found that, in 2021, most companies that disclosed a cybersecurity incident provided only general disclosures and “did not describe their cybersecurity risk oversight and related policies and procedures.” To address this omission, the SEC is proposing that companies disclose information about their cybersecurity policies and procedures, management’s role in assessing cybersecurity risk and implementing cybersecurity policies, as well as board oversight of cybersecurity.
Risk management and strategy
To provide greater transparency with respect to a company’s cybersecurity risk profile, the SEC is proposing to add new Item 106(b) of Reg S-K, which would require companies to provide “more consistent and informative disclosure regarding their cybersecurity risk management and strategy, ” including selection and oversight of third-party service providers. In addition, the SEC observes that cybersecurity risks could affect a company’s business strategy, financial outlook or financial planning. As companies increasingly rely on information technology, data collection and digital payments, cybersecurity risks could affect their decisions to invest in enhanced protection or minimize exposure to some risks. The SEC suggests that disclosure about the “impact of cybersecurity risks on business strategy would enable investors to assess whether companies will become more resilient or conversely, more vulnerable to cybersecurity risks in the future.” In addition, the SEC indicates, investors need to understand the impact of cybersecurity risks and past incidents on the company’s financial performance or condition.
Accordingly, proposed new Reg S-K Item 106(b) would require a description of a company’s policies and procedures, if any, for the identification and management of cybersecurity risks, including “operational risk (i.e., disruption of business operations); intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk.” To the extent applicable, companies should disclose whether:
- “(i) The registrant has a cybersecurity risk assessment program, and if so, provide a description of such program;
- (ii) The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
- (iii) The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third party service provider, including, but not limited to, those providers that have access to the registrant’s customer and employee data. If so, the registrant shall describe these policies and procedures, including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
- (iv) The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents, and if so, provide a description of the types of activities undertaken;
- (v) The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
- (vi) Previous cybersecurity incidents informed changes in the registrant’s governance, policies and procedures, or technologies;
- (vii) Cybersecurity-related risks and previous cybersecurity-related incidents have affected or are reasonably likely to affect the registrant’s strategy, business model, results of operations, or financial condition and if so, how; and
- (viii) Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation, and if so, how.”
As proposed, a company that has not established any cybersecurity policies or procedures “would not have to explicitly state that this is the case.” Among the questions the SEC raises for comment is whether there are concerns that Item 106 disclosures “would have the potential effect of undermining a registrant’s cybersecurity defense efforts or have other potentially adverse effects by highlighting a registrant’s lack of policies and procedures related to cybersecurity.”
Proposed Item 106(c) would require disclosure about a company’s cybersecurity governance, including “the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies.”
With regard to board oversight of cybersecurity risk, to the extent applicable, proposed Item 106(c)(1) would require discussion of the following:
- “Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
- The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.”
The release notes that the SEC’s 2018 guidance suggested that companies disclose how their boards interact with management on cybersecurity issues.
In addition, proposed Item 106(c)(2) would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the company’s cybersecurity policies, procedures and strategies, including the following:
- “Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
- Whether the registrant has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons;
- The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
- Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.”
The SEC asks for comment on whether any categories of companies, such as smaller companies or EGCs, should be exempt and whether any of the disclosure requirements should be scaled or subject to delayed compliance.
Disclosure regarding the board of directors’ cybersecurity expertise
Although cybersecurity oversight is recognized as a top priority of many boards, how many directors actually have cybersecurity expertise? The proposal would add paragraph (j) to Item 407 of Reg S-K, which would require disclosure about the cybersecurity expertise of directors. If any directors have cybersecurity expertise, the company would have to identify the directors and fully describe the nature of the expertise. The disclosure would be required in annual reports and proxy statements for the election of directors. The proposal would not require a company to make an explicit statement if the board does not have a cybersecurity expert.
Although the proposal does not define “cybersecurity expertise,” it does include a non-exclusive list of criteria that should be considered in making a determination:
- “Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
- Whether the director has obtained a certification or degree in cybersecurity; and
- Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.”
Designation of a director as a cybersecurity expert would not mean that the director is an expert for purposes of Section 11 or impose on the director any additional duties, obligations or liability over and above those imposed as a director, nor would the designation of a cybersecurity expert decrease the duties and obligations or liability of other directors.
Foreign Private Issuers
The SEC is proposing to amend Form 20-F to add Item 16J to require an FPI to include in its annual report on Form 20-F the same type of disclosure as that proposed in Reg S-K Items 106 and 407(j) (except that Item 407(j) disclosure about board expertise would not be required in proxy statements). With respect to incident disclosure, the proposed amendments would also require an update of prior Form 6-K reporting, consistent with proposed Item 106(d)(1), and require in Form 20-F annual disclosure regarding any previously undisclosed material cybersecurity incidents that have occurred during the reporting period (including a series of individually immaterial cybersecurity incidents that have become material in the aggregate) and updating disclosures regarding previously reported incidents.
Structured Data Requirements
The proposal would require companies to tag the information specified by Item 1.05 of Form 8-K and Items 106 and 407(j) of Reg S-K in Inline XBRL, including block text tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed within the narrative disclosures.
At the open meeting
As noted above, Peirce dissented. In her statement, Peirce contended that the proposal exceeded the SEC’s limited role, “flirt[ing] with casting us as the nation’s cybersecurity command center, a role Congress did not give us.” In her view, the proposal goes beyond regulating companies’ disclosures. Rather, while the proposed rules are
“couched in standard disclosure language, guides companies in substantive, if somewhat subtle, ways. First, the governance disclosure requirements embody an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies. First, the proposal requires issuers to disclose the name of any board member who has cybersecurity expertise and as much detail as necessary to fully describe the nature of the expertise. Second, the proposal requires issuers to disclose whether they have a chief information security officer, her relevant expertise, and where she fits in the organizational chart. Third, the proposal requires granular disclosures about the interactions of management and the board of directors on cybersecurity, including the frequency with which the board considers the topic and the frequency with which the relevant experts from the board and management discuss the topic.”
To Peirce, these prescriptive disclosure rules resemble “a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate.” (Of course, this type of disclosure requirement is not a new invention and was described by the late Marty Dunn as “regulation by humiliation” back when he was at the SEC.) Although SOX required disclosure regarding audit committee expertise, Peirce said, that disclosure was mandated by Congress and was at least “directly related to the reliability of the financial statements at the heart of our disclosure system.” This proposal goes beyond that by “requiring detailed disclosure about discrete subject matter expertise of directors and employees who are not necessarily executive officers or significant employees, and about the frequency of interactions between the board and management on a specific topic. While the integration of cybersecurity expertise into corporate decision-making likely is a prudent business decision for nearly all companies, whether, how, and when to do so should be left to business—not SEC—judgment.”
She also viewed the proposed requirement to disclose cybersecurity policies and procedures as, again, more than a disclosure requirement, but instead an attempt to “pressure companies to consider adapting their existing policies and procedures to conform to the Commission’s preferred approach, embodied in eight specific disclosure items.” These detailed disclosure obligations, she contended, “will have the undeniable effect of incentivizing companies to take specific actions to avoid appearing as if they do not take cybersecurity as seriously as other companies.” But, in Peirce’s view, that is a subject “best left to the company’s management to figure out in view of its specific challenges, subject to the checks and balances provided by the board of directors and shareholders.”
While she thought the incident reporting provisions might be unnecessary in light of existing guidance, she at least considered the proposed rules to be “sensible guideposts for companies to follow in reporting material cybersecurity incidents.”
In his statement, Gensler described the proposed rulemaking as part of a natural progression of disclosure requirements in response to evolving risks:
“We’ve been requiring disclosure of important information from companies since the Great Depression. The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis. Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.”
All of this data that companies and others collect, he adlibbed, was akin to a “honey pot” for malefactors, and, as a result, cybersecurity incidents “happen a lot. They can have significant financial, operational, legal, and reputational impacts on public issuers.” Although many companies already provide some cybersecurity disclosure, Gensler believes that this disclosure would benefit both companies and investors “if this information were required in a consistent, comparable, and decision-useful manner.”
Lee, whose statement, as of this writing, has not yet been posted (so my notes will have to do), began by highlighting our increased reliance on digital technology—as evidenced by the open meeting held virtually today. Along with that growth has come an increase in prevalence of cyberattacks. These attacks, she said, have not just compromised personal information or disrupted individual business, but they also have the potential to create market-wide instability. Since the issuance of prior guidance, these risks have increased, along with concerns about under-reporting—inadequate and untimely disclosure that is short on detail. The proposed rules are intended to address these issues.
Commissioner Caroline Crenshaw observed that CEOs “have identified cybersecurity as the number one threat to business growth in the coming years. Experts have provided Congressional testimony that cyber threats are among the most significant strategic risks to our national security, economic prosperity, and public health and safety.…Further, the sophistication and frequency of cyberattacks have increased. And that increase has imposed corresponding economic harms and increased expenses on companies, and their investors.” She viewed the proposal as “an important step forward in addressing this growing and ever-present risk.”