Tag: cybersecurity disclosure
SEC adopts final rules on cybersecurity disclosure [UPDATED]
[This post revises and updates my earlier post primarily to provide a more detailed discussion of the contents of the adopting release.]
At an open meeting on Wednesday last week, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. In his statement at the open meeting, Commissioner Jaime Lizárraga shared the stunning statistics that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade and total costs across the U.S. economy could run as high as trillions of dollars per year. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. Although a number of changes to the proposal were made in the final rules in response to objections that the proposal was too prescriptive and could increase companies’ vulnerability to cyberattack, the basic structure remains the same, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
SEC adopts final rules on cybersecurity disclosure
In remarks to the audience at a Financial Times summit earlier this month, Gurbir Grewal, SEC Director of Enforcement, citing a recent poll from Deloitte, observed that over “a third of executives reported that their organization’s accounting and financial data was targeted by cyber adversaries last year.” As threats increase, Grewal maintained, cybersecurity is “foundational to maintaining the integrity of not just our securities markets, but our economy as a whole.” (See this PubCo post.) Similarly, in remarks in January 2022, SEC Chair Gary Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. It’s also a national security issue. He reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. And, in his statement at the SEC open meeting yesterday morning, Commissioner Jaime Lizárraga shared the eye-opening stats that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. At an open meeting yesterday morning, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. Although a number of changes to the proposal were made in response to comments, the basic structure remains the same in the final rules, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
SEC posts Spring 2023 Reg-Flex Agenda—not much new but lots left to do
The SEC’s Spring 2023 Reg-Flex Agenda—according to the preamble, compiled as of April 10, 2023, reflecting “only the priorities of the Chair”—has now been posted. Here is the short-term agenda, which shows most Corp Fin agenda items targeted for action by October 2023, potentially making the next four months an especially frenetic period, with only a few proposal-stage items targeted for April 2024. And here is the long-term (maybe never) agenda. Describing the new agenda, SEC Chair Gary Gensler observed that “[t]echnology, markets, and business models constantly change. Thus, the nature of the SEC’s work must evolve as the markets we oversee evolve. In every generation since President Franklin Roosevelt’s, our Commission has updated its ruleset to meet the challenges of a new hour. Consistent with our legal mandate, guided by economic analysis, and informed by public comment, this agenda reflects the latest step in that long tradition.”
The short-term agenda includes a half dozen or so potential proposals that were on the Fall 2022 agenda, but didn’t quite make it out of the starting gate, such as plans for disclosure regarding corporate board diversity and human capital. Similarly, issues related to the private markets are still awaiting proposals. The question of why and how to address the decline in the number of public companies has, in the recent past, been a point of contention among the commissioners: is excessive regulation of public companies a deterrent to going public or has deregulation of the private markets juiced their appeal, but sacrificed investor protection in the bargain? That debate may play out in the coming months with two new proposals targeted for October this year: a plan to amend the definition of “holders of record” and a proposal to amend Reg D, including updates to the accredited investor definition. And the behemoth proposal regarding climate change disclosure—identified on the last agenda as targeted for final action but not considered for adoption on the schedule as planned—reappears on the current calendar with a later target date. Will that new target be met? Notably, political spending disclosure is, once again, not identified on the agenda. That’s because Section 633 of the Appropriations Act once again prohibits the SEC from using any of the funds appropriated “to finalize, issue, or implement any rule, regulation, or order regarding the disclosure of political contributions, contributions to tax exempt organizations, or dues paid to trade associations.”
Ransomware attack—SEC charges misleading disclosures and disclosure control failure—again!
Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack. After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers. But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.” As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
SEC crams much into packed Fall 2022 agenda
The SEC’s Fall 2022 Reg-Flex Agenda—according to the preamble, compiled as of October 6, 2022, reflecting “only the priorities of the Chair”—has just been posted, and it looks like the SEC will have another frenetic year ahead dealing with new and pending proposals—and so will we. Describing the new agenda, SEC Chair Gary Gensler said that it “reflects the need to modernize our ruleset, moving deliberately to update our rules in light of ever-changing technologies and business models in the securities markets. Our ability to meet our mission depends on having an up-to-date rulebook—consistent with our mandate from Congress, guided by economic analysis, and shaped by public input.” Here are the short-term and long-term lists, which show all Corp Fin agenda items scheduled for action by either April or October 2023, with the first four months looking especially jam-packed. There’s no dispute that the agenda is laden with major proposals, and many of these proposals—climate disclosure, cybersecurity, SPACs, share buybacks—are apparently at the final rule stage. Implementing all of these proposals, if adopted, would likely represent a challenge for many companies; whether overwhelmingly so remains to be seen.
SEC’s Investor Advisory Committee discusses human capital and beneficial ownership
On Wednesday, the SEC’s Investor Advisory Committee held a jam-packed meeting to discuss, among other matters, human capital disclosure and the SEC’s proposal on Schedule 13D beneficial ownership. Wait, didn’t this Committee just have a meeting in June about human capital disclosure, part of the program about non-traditional financial information? (See this PubCo post.) Yes, but, as the moderator suggested, Wednesday’s program was really a “Part II” of that prior meeting, expanding the discussion from accounting standards for human capital disclosure to now consider other labor-related performance data metrics that may be appropriate for disclosure. The Committee also considered whether to make recommendations in support of the SEC’s proposals regarding cybersecurity disclosure and climate disclosure.
Audit Analytics reports on cybersecurity disclosure
These days, with our government warning regularly about the likelihood of breaches in cybersecurity, concerns about cyber threats have only multiplied. Introducing the SEC’s new proposal for cybersecurity disclosure in March (see this PubCo post), SEC Corp Fin Director Renee Jones said that, in today’s digitally connected world, cyber threats and incidents pose an ongoing and escalating threat to public companies and their shareholders. In light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, cybersecurity risk is affecting just about all reporting companies, she continued. While threats have increased in number and complexity, Jones said, currently, company disclosure about cybersecurity is not always decision-useful and is often inconsistent, not timely and sometimes hard for investors to locate. What’s more, some material incidents may not be reported at all. Audit Analytics has just posted a new report regarding trends in cybersecurity incident disclosures. The report indicates that, in 2021, there was a 44% increase in the number of breaches disclosed, from 131 in 2020 to 188 in 2021, the most breaches disclosed in a single year since 2011. And, since 2011, the number of cybersecurity incidents disclosed annually has increased nearly 600%. Interestingly, however, in 2021, only 43% of cybersecurity incidents were disclosed in SEC filings, the report said.
SEC votes to propose new rules for cybersecurity disclosure and incident reporting [UPDATED]
[This post revises and updates my earlier post primarily to reflect the contents of the proposing release.]
At an open meeting last week, the SEC voted, three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” At the meeting, SEC Corp Fin Director Renee Jones said that, in today’s digitally connected world, cyber threats and incidents pose an ongoing and escalating threat to public companies and their shareholders. In light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, cybersecurity risk is affecting just about all reporting companies, she continued. While threats have increased in number and complexity, Jones said, currently, company disclosure about cybersecurity is not always decision-useful and is often inconsistent, not timely and sometimes hard for investors to locate. What’s more, some material incidents may not be reported at all. The SEC’s proposal is intended to provide meaningful and decision-useful information to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, “[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs….Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks….I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” Notably, the proposal is quite prescriptive, with a number of multi-part bullet point disclosure requirements, just the sort of thing to elicit a dissent from Commissioner Hester Peirce. The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
SEC votes to propose new rules for cybersecurity disclosure and incident reporting
In remarks in January before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler addressed cybersecurity under the securities laws. (See this PubCo post.) Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. In addition, he said, it’s a national security issue. Gensler reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. (As reported by the NYT, that has been especially true in recent weeks, where “the war in Ukraine is stress-testing the system.”) And today, according to Corp Fin Director Renee Jones, in light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, that’s more true than ever, with escalating cybersecurity risk affecting just about all reporting companies. Given the recent consternation over hacks and ransomware, as well as the rising potential for cyberattacks worldwide, it should come as no surprise that the SEC voted today, by a vote of three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” While threats have increased in number and complexity, Jones said, currently, company disclosure is not always decision-useful and is often inconsistent, not timely and hard for investors to find. What’s more, some material incidents may not be reported at all. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, “[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs….Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks….I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
Gensler discusses cybersecurity under the securities laws
In remarks yesterday before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler addressed cybersecurity under the securities laws. Gensler suggests that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. It’s also a national security issue. He reminds us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. Given the frequency of cybersecurity incidents, the SEC is “working to improve the overall cybersecurity posture and resiliency of the financial sector.” To Gensler, the SEC’s cybersecurity policy has three components: “cyber hygiene and preparedness; cyber incident reporting to the government; and in certain circumstances, disclosure to the public.” In his remarks, Gensler considered cybersecurity in a variety of contexts, including SEC registrants in the financial sector, such as broker-dealers, investment companies, registered investment advisers and other market intermediaries; service providers and the SEC itself, but his discussion of cybersecurity in the context of public companies is of most interest here.
You must be logged in to post a comment.