On March 9, 2022, the Securities and Exchange Commission (SEC) issued a proposed rule on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. The SEC will likely vote to finalize the rule before this summer.
Proposed Rule Provisions
Under the proposed rule, public companies would be required to disclose information about cybersecurity incidents, and make periodic disclosures about policies and procedures related to cybersecurity risk management.
Under the proposed rule, Form 8-K—which is currently used to govern cybersecurity incident disclosures—would be amended to add Item 1.05, which would require publicly registered companies (registrants) that experience a “material cybersecurity incident” to disclose the following:
- The date and time that qualified incidents are discovered, and a determination as to whether the incident is ongoing;
- A description of the nature and scope of the incident;
- Any data that was stolen, altered, accessed, or used for an unauthorized purpose;
- The effect the incident had on the registrant’s operations; and
- Whether the incident has been or is currently being remediated.
These disclosures should be made on an amended version of Form 8-K within four business days after a company determines an incident is considered “material.” The proposal specifically states the disclosure requirement is triggered upon this determination, not at the outset of the incident’s discovery.
A material cybersecurity incident is defined as one that’s consistent with the established case precedent in securities law. In other words, the information will be deemed material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in conducting their investment decision, or if it would “significantly alter the ‘total mix’ of information made available.” The proposal also provides a non-exhaustive list of examples of incidents that may be material, starting on page 24.
In addition, Item 106(d) would be added to Regulation S-K and Item 16J(d) would be added to Form 20-F to require registrants to provide the SEC with updated information on a material cybersecurity incident that was previously disclosed in Form 8-K—and to disclosure incidents which were not previously deemed material, but is deemed material when aggregated with other “immaterial” incidents.
These required filings would permit investors to gain information about reported incidents which, at the time of disclosure, registrants may not have sufficient information on or taken action to resolve. These filings require the registrant to document the remedial actions it has taken—or will take—to respond to the incident, which is not information that is currently required under Form 8-K but would ostensibly be relevant to an investor.
Registrants should also note that Form 6-K, which is utilized by foreign private issuers of securities, would be amended to add “cybersecurity incidents” as a potential trigger for mandatory filing.
Make periodic disclosures about their policies and procedures to identify and manage cybersecurity risks.
In addition to the requirement to update disclosures, Item 106 would be added to Regulation S-K so that a registrant would be required to:
- Outline the policies and procedures for identifying and managing risks resulting from an incident or threat, “including whether the registrant considers cybersecurity risks as part of its business strategy, financial planning and capital allocation”; and disclose:
- The board’s cybersecurity risk oversight;
- The role of management (the C-Suite) in assessing and managing these risks;
- The cybersecurity expertise of management;
- The role of management in implementing the registrant’s cybersecurity policies, procedures, and strategies.
In addition, the proposal would amend Item 407 of Regulation SK and Form 20-F to require the registrants to disclose whether any member of their board has expertise in cybersecurity. If they do, the registrant would be required to disclose the nature and extent of their expertise. The proposal does not define this expertise, but it does provide a non-exhaustive list of criteria to consider, such as prior work experience in cybersecurity, obtaining a certification or degree in cybersecurity, or possessing “knowledge, skills, or other background in cybersecurity.”
Importantly, if a board member is designated as possessing “cybersecurity expertise,” the proposal clarifies that they would not be deemed an “expert” for any purpose.
Considerations for Businesses
The proposal is subject to a public comment period which will remain open for 60 days following the publication of the release on the SEC’s website—or 30 days following publication in the Federal Register, whichever period is longer.
The proposal notes that these amendments are intended to better-inform investors about the risk management, strategy, and governance practices of SEC registrants, and designed to provide the agency with timely notice of incidents. According to a statement by SEC Chair Gary Gensler, the need for this proposal is significant, considering the emerging and evolving risks from cybersecurity incidents in the United States today.
Public companies who may be subject to this proposed rule may want to consider a review and update of their cybersecurity incident response and disclosure plans, board oversight provisions, and management programs for the governance of vendors and third-party service providers.