Cyber Risk Management, Response and Transparency: SEC Proposes Public Company Cybersecurity Disclosure Rules

Cyber Risk Management, Response and Transparency: SEC Proposes Public Company Cybersecurity Disclosure Rules

March 14, 2022, Covington Alert

On March 9, 2022, the Securities and Exchange Commission (SEC) proposed new rules that would require U.S. public companies to report their material cybersecurity incidents and to provide disclosure in their periodic reports about their cybersecurity risk management and governance. The proposed rules would represent a significant expansion in the reporting obligations and transparency around public companies’ cyber risk management policies and procedures and the oversight role of management and boards of directors in managing companies’ cybersecurity risk.^[1] The proposed rules also reflect the fundamental shift in focus on cybersecurity risk by the Biden Administration and the impact domestically and globally of such risk across the financial markets.

New Proposed Form 8-K Reporting of Material Cybersecurity Incidents

The proposed rules would add new Item 1.05 to Form 8-K, which would require a company to file its Form 8-K within four business days of determining that it has experienced a material cybersecurity incident.^[2] The report would need to describe the following (to the extent known):

• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the company’s operations; and
• Whether the company has remediated or is currently remediating the incident.

The SEC’s proposal clarifies that companies would not be required to disclose specific, technical details about their planned response to an incident, cybersecurity systems, related networks and devices or potential system vulnerabilities, if doing so would impede the company’s response or remediation efforts.

Definition of Cybersecurity Incident

The proposal defines “cybersecurity incident” as “an unauthorized occurrence on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.” Because the proposal defines the term “information systems” to mean information resources owned or used by the company, a Form 8-K could be triggered not only by an attack on the company’s own systems, but also by an attack on the systems of a third-party service provider (e.g., a cloud service provider).

Third-Party Service Providers

Under the proposed rules, a public company would need to be able to assess whether a particular incident at a third-party service provider would have a material impact on the company and thereby trigger a Form 8-K filing. As a practical matter, this may require public companies to enhance their policies and procedures to ensure appropriate oversight of the cyber risk profile of, and the company’s dependence on, third-party service providers. The SEC noted that, where a cybersecurity incident involves a third party’s information systems, a company may lack access to the information necessary to fully respond to the proposed disclosure obligation, and has asked for comment on whether it would be appropriate to provide a safe harbor for disclosure in these circumstances, and, if so, the scope of such a safe harbor.

Disclosure Obligation Supersedes Other Considerations

Companies dealing with a cybersecurity incident typically consider many factors when considering public disclosure of such incident, other than the securities laws, such as the impact of disclosure on customers, the readiness of a patch, or whether disclosure would impede the ability to identify and contain the threat actor. In some cases, public disclosure could alert a threat actor and limit the company’s ability to contain the threat, or potentially exacerbate the effect of a breach. However, as drafted the proposed rules would not permit a delay in reporting a material incident, such as to permit progress on internal or external investigations, including by law enforcement, once the company determines the incident is material. The SEC stated its belief that potential harm as a result of publicly disclosing the cybersecurity incident is outweighed by the benefit to investors of timely disclosure. We expect this to be a point of emphasis in the public comment process.

Key Takeaways

• While public companies often elect to disclose cybersecurity incidents, the SEC expressed a concern that these incidents are under-reported or difficult to find in companies’ disclosures.
• The proposal’s “materiality” trigger remains tied to the traditional definition of “materiality” articulated by courts and the SEC.
• The deadline for filing is triggered upon determination that an incident was material and not discovery of the incident. To address concerns about potential delays in making materiality determinations, the proposed instruction to Item 1.05 would specify that companies must make the determination “as soon as reasonably practicable” after the discovery of an incident.
• A failure to timely file a report under Item 1.05 would not make a company ineligible to use Form S-3.

New Proposed Periodic Reporting Requirements

The proposed rules would establish a number of new periodic reporting requirements regarding cybersecurity. These are summarized below.

Updates in Periodic Reports Regarding Prior Cybersecurity Incidents

The proposed rules would call for specified disclosure about prior material cybersecurity incidents in a U.S. public company’s Annual Report on Form 10-K and Quarterly Reports on Form 10-Q.

First, companies would be required to describe material changes, additions, or other updates to prior disclosures under Item 1.05 of Form 8-K about a material cybersecurity incident.

In addition, the proposed rules would require companies to disclose when a series of previously undisclosed and individually immaterial cybersecurity incidents become material in the aggregate, including disclosing: (i) when the incidents were discovered and whether they are ongoing; (ii) a brief description of the nature and scope of such incidents; (iii) whether any data was stolen or altered; (iv) the impact of such incidents on the company’s operations and the company’s actions; and (v) whether the company has remediated or is currently remediating the incidents.

Cybersecurity Risk Management and Strategy

Proposed new Item 106(b) of Regulation S-K would require a U.S. public company to describe, in its Annual Report on Form 10-K, policies and procedures it has for identifying and managing risks from cybersecurity threats, including, as applicable, whether:

• The company has a cybersecurity risk assessment program and if so, a description of such program;
• Cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation and if so, how;
• The company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
• The company has policies and procedures covering third-party risk management to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the company’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
• The company undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
• The company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
• Previous cybersecurity incidents have informed changes in the company’s governance, policies and procedures, or technologies; and
• Cybersecurity related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition and if so, how.

Board of Directors’ Oversight of Cybersecurity

Proposed Item 106(c)(1) of Regulation S-K would require a U.S. public company to describe, in its Annual Report on Form 10-K, the following, as applicable:

• Whether the entire board, specific board members or a board committee is responsible for the oversight of the company’s cybersecurity risks;
• The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
• Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

Management’s Role in Assessing and Managing Cybersecurity-Related Risks

Proposed Item 106(c)(2) of Regulation S-K would require a U.S. public company to describe, in its Annual Report on Form 10-K, management’s role in assessing and managing cybersecurity risks and in implementing cybersecurity policies, procedures, and strategies. This would include, but not be limited to, the following information:

• Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
• Whether the company has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the company’s organizational chart, and the relevant expertise of any such persons;
• The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
• Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.

Key Takeaways

• The proposed rules would not require a company to affirmatively state that it has no cybersecurity risk management policies.
• Proposed disclosure requirements are designed to facilitate comparability of governance and risk management policies and practices across public companies.
• The SEC is seeking input on whether there should be delayed compliance or other transition accommodations with respect to the proposed rules’ application to certain categories of companies.

Board of Directors’ Cybersecurity Expertise

The proposed rules would amend Item 407 of Regulation S-K to require U.S. public companies to disclose, in their annual meeting proxy statement or Annual Report on Form 10-K, the names of any directors who have cybersecurity expertise, and to describe the nature of such expertise. The SEC provided a list of factors to consider in making this determination:

• Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
• Whether the director has obtained a certification or degree in cybersecurity; and
• Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.

Key Takeaways

• As proposed, a company that does not have a director with cybersecurity expertise would not be required to state this expressly.
• A safe harbor is proposed to clarify that persons identified as having cybersecurity expertise would not be deemed to be subject to the liability provisions for “experts” under the Securities Act.

Other Items

Foreign Private Issuers

In connection with the proposed amendments to Form 8-K, the SEC proposed amending Form 6-K, for foreign private issuers, to add material cybersecurity incidents to the list of events that may be reported on such Form. Similarly, the SEC proposed amendments to Form 20-F to impose corresponding annual reporting obligations on foreign private issuers.

Smaller Reporting Companies

The SEC considered, but ultimately decided against, proposing separate rules for smaller reporting companies; the proposing release asks for comments on whether separate rules or certain accommodations would be appropriate.

Items for Companies to Consider

Public comment on the proposal will remain open for 60 days once posted on the SEC's website, or 30 days from publication in the Federal Register, whichever period is longer.

Companies would be well advised to consider the potential impact of the disclosure reporting obligations and the practical implications that may follow, including, but not limited to:

• Evaluation and assessment of existing management and board oversight of cybersecurity risk;
• Evaluation and assessment of disclosure controls and procedures frameworks in place and the possible adjustments that would be required in order to comply with the proposed rules’ current and periodic reporting requirements;
• Evaluation and assessment of cybersecurity governance programs, including applicable policies and procedures;
• The interplay of reporting obligations under sector-specific, state, or local notification laws and regulations with the materiality assessment that would be required under the new rules and securities law reporting requirements; and
• The company’s current level of incident response preparedness and training.