In remarks to the audience at a Financial Times summit earlier this month, Gurbir Grewal, SEC Director of Enforcement, citing a recent poll from Deloitte, observed that over “a third of executives reported that their organization’s accounting and financial data was targeted by cyber adversaries last year.” As threats increase, Grewal maintained, cybersecurity is “foundational to maintaining the integrity of not just our securities markets, but our economy as a whole.” (See this PubCo post.) Similarly, in remarks in January 2022, SEC Chair Gary Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. It’s also a national security issue. He reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. And, in his statement at the SEC open meeting yesterday morning, Commissioner Jaime Lizárraga shared the eye-opening stats that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. At an open meeting yesterday morning, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. Although a number of changes to the proposal were made in response to comments, the basic structure remains the same in the final rules, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Here are the final rule, the fact sheet and the press release. I plan to publish an update to this post with more detail about the rule proposal from the adopting release at a later time, so stay tuned.
Of course, the SEC’s concerns about cybersecurity disclosure are not new. In 2018, the SEC issued long-awaited guidance on cybersecurity disclosure. The guidance addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. That guidance built on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding, in particular, new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 staff guidance—and hardly more compelling. (See this PubCo post.) Moreover, although there were improvements in disclosure following release of the guidance, concern mounted that company disclosures were not consistent, comparable or decision-useful. In addition, cyber risks had escalated during and after the pandemic with more remote work, together with more widespread reliance on third-party systems. To address these concerns, last year, the SEC proposed amendments intended to “better inform investors” about public companies’ “risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.” (See this PubCo post.)
Final rules
As described in the fact sheet, the final rules will require both incident reporting and periodic disclosure.
Incident reporting. The fact sheet indicates that new Item 1.05 of Form 8-K will require disclosure of any cybersecurity incident that a company determines to be material, comprising a description of the “material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.” Companies will be required to “determine the materiality of an incident without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination.” For required information that was “not determined or was unavailable at the time of the initial Form 8-K filing,” companies will be required to disclose the information by amending the initial filing within four business days after it becomes known. An initial 30-day delay is permissible in the event that the U.S. Attorney General “determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. If the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through possible exemptive orders.” The disclosure will be required to be tagged in Inline XBRL. Untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility. For foreign private issuers, Form 6-K is being amended to require FPIs “to furnish information on material cybersecurity incidents that they make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders.”
Periodic disclosure. According to the fact sheet, new Item 106 of Reg S-K will require companies “to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.” This disclosure will be required in Annual Reports on Form 10-K and will be required to be tagged in Inline XBRL. For FPIs, Form 20-F is being amended to require FPIs to make comparable periodic disclosure.
Timing. The final rules will become effective 30 days following publication of the adopting release in the Federal Register. With respect to Reg S-K Item 106 and the comparable requirements in Form 20-F, all registrants will be required to include these disclosures in their annual reports beginning with fiscal years ending on or after December 15, 2023. Compliance with the 8-K and 6-K incident disclosure requirements will be required for all registrants other than smaller reporting companies beginning on the later of 90 days after the date of publication in the Federal Register or December 18, 2023. SRCs will have an additional 180 days and must begin complying with Form 8-K Item 1.05 on the later of 270 days after the date of publication in the Federal Register or June 15, 2024. With respect to compliance with inline XBRL, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after the initial compliance date for any issuer for the related disclosure requirement.
Changes. In the adopting release, the SEC summarizes the important changes made in the final rules in response to comments received. With respect to incident disclosure, the final rules “narrow[] the scope of disclosure,” focusing on the impact or reasonably likely impact of the incident, rather than on the details of the incident itself, such as remediation status. The final rules also add “a limited delay for disclosures that would pose a substantial risk to national security or public safety, requir[e] certain updated incident disclosure on an amended Form 8-K instead of Forms 10-Q and 10-K for domestic registrants, and on Form 6-K instead of Form 20-F for [FPIs], and omit[] the proposed aggregation of immaterial incidents for materiality analyses,” instead defining cyber incident to include a “series of related unauthorized occurrences.” With respect to the annual disclosure, the final rules “streamlin[e] the proposed disclosure elements related to risk management, strategy, and governance.” In addition, the SEC did not adopt the proposed requirement to disclose board cybersecurity expertise; that’s now on management.
At the open meeting
In his statement, Chair Gensler placed the rules in the context of a historical tradition. He observed that “Congress recognized the benefits to investors of current reporting in enacting the Sarbanes-Oxley Act of 2002. Through the Act, Congress required companies to ‘disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer… as the Commission determines … is necessary or useful for the protection of investors and in the public interest.’ In 2004, implementing Congress’s mandate, the Commission adopted rules expanding current reporting on a range of matters. Today’s rules will add material cybersecurity incidents to the list of current reporting requirements…. Over the generations, our disclosure regime has evolved to meet investors’ needs in changing times. Today’s adoption marks only the latest step in that long tradition.”
He also observed that the final rules were responsive to public comment, “streamlin[ing] required disclosures for both periodic and incident reporting. For example, the final rules will require issuers to disclose only an incident’s material impacts, nature, scope, and timing, whereas the proposal would have required additional details, not explicitly limited by materiality. In considering today’s cyber-related disclosure rules, I am guided by the concept of materiality. Our markets depend on a basic bargain: Investors get to decide which risks to take so long as companies raising money from the public make full, fair, and truthful disclosure. Thus, if an issuer has a material cyber incident, then under today’s final rules, the issuer will need to disclose material information about that material incident.”
Commissioner Hester Peirce, who had voted against issuing the proposal, continued her opposition to the final rule, even though, she acknowledged in her statement, it was better than the proposal. In her view, the final rules “ignore both the limits to the SEC’s disclosure authority and the best interests of investors. Moreover, the Commission has failed to explain why we need this rule.” She noted that both Corp Fin and the SEC have issued interpretive guidance; if “companies fail to make the required disclosures about cyber risks or inform investors of a cyber incident in a timely manner, the Commission can bring an enforcement action based on existing disclosure obligations.” In her view, new regulations were not necessary. And these overly prescriptive rules are especially not necessary: the new rule “reads like a test run for future overly prescriptive, overly costly disclosure rules covering a never-ending list of hot topics.”
To Peirce, something else is “overly”: that’s the SEC’s overly expansive view of its authority. First, she said, the SEC “rejects financial materiality as the touchstone for its disclosures, and fails to offer in its place a meaningful intelligible limit to its disclosure authority.” Although the SEC has authority to “take actions in the public interest and for the protection of investors, those actions need to relate to our core mission. The release prescribes granular disclosures, which seem designed to better meet the needs of would-be hackers rather than investors’ need for financially material information.” Second, she believes the required disclosures are normative: “the SEC’s potentially non-material risk management and governance disclosures veer into managing companies’ cyber defenses; the new rule looks like a compliance checklist for handling cyber risk, a checklist the SEC is not qualified to write.” The mandatory disclosures “may serve to drive companies to spend resources on compliance with our rules and conformity with other companies’ disclosed practices, instead of on combatting cyber threats as they see fit.” Third, Peirce takes issues with the rule’s “overly narrow law enforcement exception and general refusal to take into account other cyber disclosure laws.” The rule provides for only a 30-day delay and “makes extensions difficult beyond the initial thirty days.” In addition, she contended, the rules fails to consider the mandates of other agencies.
In addition, Peirce contended that the SEC did not show appropriate concern for the costs of the new rules to investors; a “flexible, principles-based approach that allows for disclosures tailored to the issuer making them would be a better way to protect investors.” In addition, the “compliance timelines are aggressive even for large companies…. Companies will have only months to align their internal disclosure processes with the new incident reporting requirements.”
Of even greater concern to Peirce was
“the potential for the rule to aid cyber criminals. The strategy and governance disclosures risk handing them a roadmap on which companies to target and how to attack them. The 8-K disclosures, which are unprecedented in nature, could then tell successful attackers when the company finds out about the attack, what the company knows about it, and what the financial fallout is likely to be (i.e., how much ransom the attacker can get). The requirement to file an amended 8-K when new information comes in will provide the attacker regular updates on the company’s progress. The 8-K disclosures also will signal to other would-be attackers an opportune time to attack. The careful drafting necessary to avert some of these problems will be difficult in the four-day filing timeframe. The release at least acknowledges these possible adverse consequences of the new disclosures. Even as the new disclosures tip off informed cyber criminals, they might mislead otherwise uninformed investors without first-hand knowledge of cyber attacking. The fast timeline for disclosing cyber incidents could lead to disclosures that are ‘tentative and unclear, resulting in false positives and mispricing in the market.’”
Most interesting however, were Peirce’s largely scripted questions for Erik Gerding, Corp Fin director, which went on for quite some time. (Based on my notes only, so standard caveats apply.)
- “What assurances do you have that the Attorney General will be able to act in the timeframe we established?” Gerding responded that the staff had consulted with the DOJ to establish an inter-agency process in which the DOJ would notify the company that it could delay filing.
- How does the company reach the DOJ in the four-day period? Gerding contended that companies are often in communication with the DOJ. (Really?)
- When a company has experienced a breach, it needs to devote time early on to containing its losses. Won’t these reporting requirements disrupt those containment and recovery processes? In Peirce’s words, “Are you concerned that companies in the midst of a cyber-attack will be hindered in their ability to respond by having to alert the attacker about what they know about the attack?” According to Gerding, if a company follows its disclosure controls and procedures, those activities should not be impeded. In addition, companies must first determine the materiality of the incident, so the reporting requirement will not kick in immediately in the hours right after the breach. And there is no timeline for determining materiality, just a requirement that there not be unreasonable delay in making that determination.
- Isn’t this type of 8-K different from the norm; here, a filing is required when the company may not yet have its arms around the problem? In her words, “Are you concerned that the short preparation time for the Form 8-K could result in investors receiving information that is inaccurate?” Gerding responded that, if there is a determination of materiality and not all the information is available at the time of filing, then companies should acknowledge that fact with a statement to that effect and provide that information in amendments within four business days after it becomes known.
- The final rules remove the proposed requirement to aggregate immaterial incidents. However, the rules require disclosure of cyber incidents, defining “cyber incident” to include “an unauthorized occurrence, or a series of related unauthorized occurrences. “Will companies, under this new approach, nevertheless have to develop new costly systems to track immaterial events? The Commission leaves ‘related’ undefined. How would you explain that term to a company trying to figure out whether to aggregate occurrences for purposes of figuring out whether to file an 8-K?” As examples, Gerding suggested that related occurrences could include a series of continued incidents conducted by the same bad actor or a series of incidents attacking the same vulnerability.
- “‘Cybersecurity incident’ is defined to include anything that ‘jeopardizes’ information systems. Under this definition, a cybersecurity incident could occur whenever information is merely at risk even if not actually stolen. Won’t companies have difficulty tracking cybersecurity incidents, so broadly defined?” Gerding responded that the definition focuses on unauthorized occurrences, and these might, for example, affect the integrity or availability of the system.
- “The Small Business Administration wrote us a letter recommending that we publish a Supplemental Initial Regulatory Flexibility Analysis because the one in the proposing release ‘lacks essential information,’ including which small entities would be affected and adequate consideration of alternatives. Why didn’t we publish a supplemental IRFA?” The staff believes that the final analysis complies with the Regulatory Flexibility Act.
- “One commenter argued that the rules could make companies less nimble in updating cyber policies and procedures because they would have to simultaneously change their regulatory filing. Is this a concern?” Gerding responded that the rules were not intended to impact updating of policies.
- “The timelines set forth in the release for coming into compliance with these rules are aggressive. At least one commenter suggested a two-year compliance period, but we are requiring same-year compliance. How is that reasonable?” Gerding replied that they believe the compliance periods are reasonable.
In her statement, Commissioner Caroline Crenshaw observed that “cybersecurity breaches reported by public companies increased by nearly 600% in the last decade and the costs, borne by issuers and their investors, are estimated to be in the trillions of dollars per year in the U.S. alone. The numbers are staggering, and I’m cognizant that even those substantial measurements do not tell the whole story. Cybersecurity intrusions can go beyond the loss of sensitive information and related remediation; as we saw in the Colonial Pipeline intrusion in 2021, they can alter the normal course operations of complex, capital- and infrastructure-intensive businesses.” She emphasized that knowledge of cybersecurity threats and breaches is “essential” given that “breaches can (and do) result in loss of revenue, customers, and business opportunities. Those harms may be realized or they may be ongoing in the form of lost sensitive information, remediation costs, and losses in shareholder value.”
Nevertheless, according to commenters, “existing disclosure practices vary in substance, organization, and presentation, thus establishing a need for, and benefit of, comparable, reliable, and decision-useful disclosures to investors.” This rulemaking serves as an example “of how our continuous reporting framework incorporates emerging risks—just as it was intended to do.” For example, the final rule includes “the important first step of ensuring adequate disclosure of managements’ cyber expertise. Commenters of all stripes agreed cyber expertise at public companies is critical, and this new disclosure will help ensure investors understand what skillset management brings to bear on the day-to-day oversight and operations related to cyber risks and incidents.” Still, she advocated that the SEC “continue to consider further disclosures, such as whether there is cyber-related expertise on the board,“ a provision that was eliminated from the proposal in the final rules.
Commissioner Mark Uyeda lamented, in his dissenting statement, the shift from the principles-based guidance of 2018 to the highly prescriptive requirements imposed by the new rules. He observed that some commenters believed that the 2018 guidance “already compelled sufficient cybersecurity disclosure. Given this support for the existing guidance, today’s amendments could have addressed other concerns by making incremental changes to the Commission’s disclosure regime as it applies to cybersecurity. However, rather than using a scalpel to fine-tune the principles-based approach of the 2018 Interpretive Release, today’s amendments swing a hammer at the current regime and create new disclosure obligations for cybersecurity matters that do not exist for any other topic.” Cybersecurity is just one of many risks; in his view, the new rules elevate cybersecurity above other, perhaps more material, risks, in the absence of any reasoned explanation for that elevation. As an example, he cites the requirement to disclose detailed information about management’s role in assessing material risks from cybersecurity threats, including “disclosure equivalent to the resumes” of responsible management and committee members.
Further, the new rules “break new ground by requiring real-time, forward-looking disclosure,” that is, mandating forward-looking statements regarding the reasonably likely impact of a breach, including impact on the affected company’s financial condition and results of operations. In addition, “a company will be required to amend its Form 8-K to disclose any material impacts, or reasonably likely material impacts, that were not determined or were unavailable at the time of the initial filing. No other Form 8-K event requires such broad forward-looking disclosure that needs to be constantly assessed for a potential amendment.” Even material acquisitions do not require this type of “constant reassessment.”
He also took issue with the exception for national security and public safety, which provides for a maximum delay of 120 days. He contrasted that exception with Rules 0-6 and 171, which prohibit disclosure of classified information entirely. In this context, he questioned “the notion that a reasonable investor would be unwilling to sacrifice receiving information that may jeopardize national security or public safety.” Rather, he maintained, most investors hold a portfolio of securities, not just a single security. “Premature public disclosure of a cybersecurity incident at one company,” he suggested, “could result in uncertainty of vulnerabilities at other companies, especially if it involves a commonly used technology provider, resulting in widespread panic in the market and financial contagion. Early information is often incomplete and not correct. One only need to look at the regional banking crisis to see how speculation can destabilize entire sectors, or even the markets as a whole.”
Finally, he disagreed with the conclusion that the final rule is not a “major rule” under the Small Business Regulatory Enforcement Act, given the likely annual impact on the economy of over $100 million. Off-script, he asked the staff for additional information regarding fn. 131 and the interplay with Rule 0-6. Gerding replied that the new rule doesn’t change Rule 0-6, but offered further consultation with the staff.
In his statement, Commissioner Lizárraga observed that, notwithstanding data regarding the growth and cost of cyber incidents, “today, there are zero disclosure requirements that explicitly refer to cybersecurity risks, governance or incident reporting. The final rule will change that, and provide investors with more timely, standardized, and informative disclosures, which will reduce market mispricing and information asymmetries.” Currently, companies can cherry-pick their disclosures, “if they disclose at all.” The new specific disclosure requirements will “reduce the risk of adverse selection, and the potential mispricing of a company. Beyond the clear benefits to investors, the rule will also have broader, indirect benefits. For example, more timely reporting of cyber incidents can serve as an alert to companies in the same sector that malign actors are launching cyber-attacks. Such companies could have more time to raise their cyber defenses and to mitigate any potential damage. Consumers may also benefit through more informed decision-making about which companies to entrust with their sensitive personal information.” With regard to concerns raised that “providing detailed disclosures of cyber incidents could provide a roadmap for future attacks,” Lizárraga pointed out that the final rule “does not require specific, technical information that would serve that harmful purpose. Instead, it is focused on what the material impacts, or reasonably likely material impacts, of the incident will be,” which could affect valuation and profitability. For example, he suggested, “even if not quantifiable, the risk that a large segment of customers will lose faith in a business’s ability to protect sensitive personal information may certainly be material to an investor’s decision to invest in a company. This is especially the case in our post-COVID world, where working people in our country spend ever greater amounts of time working remotely.”