By Rodney F. Tonkovic, J.D.
Rule amendments proposed by the SEC would require public companies to report cybersecurity incidents. The proposed amendments would require mandatory and ongoing disclosures regarding companies' governance, risk management and strategy concerning cybersecurity risks. Second, current reporting of material cybersecurity incidents would be mandatory. The proposal was approved during an open meeting by a 3-1 vote with Commissioner Peirce dissenting. The comment period will be open for 60 days or 30 days after publication in the Federal Register, whichever period is longer (Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11038, March 9, 2022).
The need for improvement. Research suggests that cybersecurity is a top governance-related issue for investors, the Commission says. The proposal notes that today's world is digitally-connected, particularly in the context of the increased prevalence of remote work spurred by the pandemic. Hand-in-hand with this connectedness is an increase in cybersecurity threats and incidents and their potential to affect the economy as a whole.
The Commission issued interpretive guidance concerning existing disclosure obligations concerning cybersecurity risks and incidents in 2011 and in 2018, and while many issuers provide cybersecurity disclosure to investors, the Commission says that what is available tends to inconsistent, not timely, and difficult for investors to find. More recently, the Commission has proposed to extend the requirements of Regulation SCI to ATSs trading government securities and to require investment advisers to adopt cybersecurity policies and procedures. The new proposal is intended to, as Chair Gensler said, "strengthen investors' ability to evaluate public companies’ cybersecurity practices and incident reporting" and provide this information in a "consistent, comparable, and decision-useful manner."
Incident disclosure. The release would require current disclosure of material cybersecurity incidents. To that end, new item 1.05 of Form 8-K would require registrants to disclose information about a cybersecurity incident within four business days after the registrant determines there has been that an incident is material; what constitutes "materiality" will be consistent with the cases addressing materiality in the securities laws. The disclosures include: when the incident was discovered; the nature and scope of the incident; whether data was stolen or used; the effect on operations; and remediation. While registrants are expected to be responsive, the proposal notes that detailed technical information is not required. There is no provision for a reporting delay when there is an ongoing investigation. Similar and related amendments would also be made to Forms S-3, SF-3, and 6-K.
Periodic disclosure. Next, the proposal includes enhanced and standardized disclosures regarding cybersecurity risk management, strategy, and governance. Proposed new Item 106 of Regulation S-K would require the disclosure of any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K in the registrant's Forms 10-Q or 10-K. The new item would further require disclosure of incidents that were immaterial but have become material in the aggregate, such as a number of small, but continuous cyber-attacks. In addition, new Item 106(b) would require the disclosure of policies and procedures for assessing cybersecurity risks, and Item 106(c) would require disclosure of a registrant's cybersecurity governance, including the board's oversight of cybersecurity risk and management's role and expertise in assessing and managing risks. Item 106(a) provides definitions, including "cybersecurity incident" and "cybersecurity threat."
Finally, the Commission proposed to amend Item 407 of Regulation S-K to require disclosure about the cybersecurity expertise of members of the registrant's board of directors. The disclosure would be required in a registrant's proxy or information statement when action is to be taken with respect to the election of directors, and in its Form 10-K. "Cybersecurity expertise" is not defined, but there is a non-exclusive list of criteria in proposed Item 407(j)(1)(ii). An amendment to Form 20-F would require disclosure of the information required by Items 106 and 407 by foreign private issuers.
Peirce dissents. In her dissenting statement, Commissioner Peirce acknowledged that cybersecurity risk is at the top of everyone's mind. While the SEC has an important role in ensuring that investors get the information they need, she said that this proposal "flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us." The Commission's role is to regulate public companies' disclosures, not their activities, she said, and the Commission does not have the same authority over public companies as it does over registered entities like investment advisers and broker-dealers. Primarily, though, Peirce is concerned about the SEC's need to cooperate with, or defer to, the needs of state and federal law enforcement agencies—that is, whether disclosure be delayed if it increases the chance of recovering stolen funds or finding wrongdoers.
On the plus side, Peirce said that the proposed rules are "sensible guideposts" in reporting material cybersecurity incidents. She praised the fact that the rules are "rooted in materiality" and give companies flexibility in determining the magnitude of an incident before the disclosure clock runs. But, Peirce remains unconvinced that these rules are necessary in light of the 2018 guidance.
The release is No. 33-11038.