By R. Jason Howard, J.D.
In a speech by Erik Gerding, the Director of the SEC’s Division of Corporation Finance spoke about the Commission’s adoption of a final rule which will require that public companies disclose material cybersecurity incidents they experience and, on an annual basis, provide material information regarding their cybersecurity risk management, strategy, and governance.
According to the Director, the final rule will provide investors with timely, consistent, and comparable information about an important set of risks that can cause significant losses to public companies and their investors.
The Director offered an overview of the rule and its rationale, explaining that company disclosure practices have remained inconsistent and the Commission has noted that cybersecurity risks have increased “alongside the ever-increasing share of economic activity that depends on electronic systems, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology.” The Commission also noted that cybersecurity incidents increase the cost to companies and their investors, and those costs are rising.
Those trends make it clear that improved disclosure is needed and the final rule, according to the Director, meets that need. Importantly, the Director explained that the Commission “is not seeking to prescribe particular cybersecurity defenses, practices, technologies, risk management, governance, or strategy,” but investors have indicated the need for consistent and comparable disclosures to evaluate how public companies are addressing cybersecurity risks and threats.
To assist investors with their evaluation of companies, the final rule has two components: a requirement to disclose material cybersecurity incidents four business days after a public company determines the incident is material, and a requirement to annually disclose information regarding cybersecurity risk management, strategy, and governance.
The Director then spoke about the Cybersecurity Incident Disclosure Provision and noted that this disclosure is focused on the material impacts of a material cybersecurity incident and explained what must be disclosed, when it must be disclosed, and why the Commission used the materiality standard.
Next, the Director addressed the National Security and Public Safety Delay Provision, explaining that the Commission provided for this delay in case reporting the incident would pose a substantial risk to national security or public safety. To that end, the Department of Justice recently issued guidelines “describing the process a company should follow to obtain a delay and the procedures the Attorney General will use to evaluate whether a delay is warranted.” In addition, the Division of Corporation Finance also issued a Compliance & Disclosure Interpretation (CDI) which, among other things, provides questions and answers about situations in which a registrant experiences a material cybersecurity incident and the required filings that must be made.
Turning to the Risk Management, Strategy, and Governance Disclosure Provisions, the Director explained that the Commission streamlined the required annual disclosures to recognize that companies have diverse approaches to cybersecurity based on their circumstances and not every company needs to have formal policies and procedures in place.
Next Steps. With companies working to ensure compliance with the new rules, Gerding emphasized the Division’s longstanding open door policy, and he explained that the Commission may issue forward-looking comments or additional CDIs. In recommending new disclosure requirements, the Commission is hoping to elicit tailored disclosures that provide consistent, comparable, and decision-useful information to investors.