SEC Proposes Comprehensive Cybersecurity Reporting Rules for Public Companies

Introduction

On March 9, the SEC, by a 3-1 vote, proposed new rules in its most far-reaching effort to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies to date. The proposed rules follow last month’s proposal regarding cybersecurity risk management for registered investment advisers and business development companies (see our prior alert).

In recent years, the SEC has demonstrated that cybersecurity is among its top priorities through increasingly comprehensive guidance and related enforcement actions. In February 2018, the SEC issued interpretive guidance on cybersecurity disclosure laying out factors issuers should consider and actions to take to prevent insider trading by executives and directors related to cybersecurity incidents. Last year, we reported on a number of enforcement actions against issuers for violations of disclosure controls and procedures related to cybersecurity vulnerabilities (see our July and September 2021 alerts). These actions, in addition to the new proposed rules, are part of the SEC’s increasing focus on cybersecurity issues and underscore the importance of maintaining adequate cybersecurity disclosure and risk management policies and procedures.

Mandatory Incident Reporting

Though the SEC has sought to encourage companies to disclose cybersecurity incidents for some time, the agency characterized existing reporting as “inconsistent in level of detail, time of disclosure, and placement.” The proposed rules would amend Form 8-K to require disclosure of material cybersecurity incidents within four business days after determining the incident is material. The proposal would also amend Form 6-K to add “cybersecurity incidents” as a reporting topic.

Disclosure must contain information on when the incident was discovered and whether it is ongoing; a brief description of the nature and scope of the incident; whether any data was stolen, altered, or accessed or used for any other unauthorized purpose; the effect of the incident on the registrant’s operations; and whether the registrant has remediated or is currently remediating the incident. The proposal would apply to incidents involving information resources “owned or used by the registrant,” extending the reach of the rules to third-party systems.

The four-day deadline for reporting following a materiality determination represents the first time the SEC has sought to set a specific time period for disclosure. Consistent with traditional standards, information related to cybersecurity incidents is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”

The proposal instructs registrants to “make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.” The rule would not provide for a reporting delay when there is an internal or external investigation related to the cybersecurity incident, explaining that any such delay could undermine the purpose of the rule given that investigations and resolutions can vary widely in time and scope. Under the proposal, any material changes, additions or updates regarding cybersecurity incidents that were previously disclosed must be disclosed in subsequent Form 10-Q and Form 10-K reports.

Cybersecurity incident reporting on Form 8-K would be eligible for a safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act for failure to timely file. Additionally, late disclosure of material cybersecurity incidents on Form 8-K would not result in a loss of Form S-3 eligibility.

The four-day deadline is likely to be the subject of much discussion and comment through the rulemaking process. Issuers may find the deadline challenging to meet without the proper protocols and procedures in place to assess and respond to cybersecurity incidents. In the proposal, the SEC requests comments on whether there should be further guidance regarding the timing of a materiality determination and what timeframes would be considered prompt.

Periodic Disclosure Regarding Risk Management, Strategy and Governance

The proposal would also require “enhanced and standardized disclosure” regarding companies’ “cybersecurity risk management, strategy, and governance.” The rules would amend Regulation S-K to require periodic disclosures on an issuer’s risk management policies and procedures and corporate governance regarding cybersecurity.

Among other things, disclosure of risk management procedures should discuss risk assessment programs; business continuity plans in the event of an incident; policies and procedures regarding third-party service providers; and activities to prevent, detect and minimize effects of cybersecurity incidents. Additionally, registrants should describe whether they consider cybersecurity as part of their business strategy, financial planning and capital allocation. The proposed rule explains, “[A] company with a business model that relies highly on collecting and safeguarding sensitive and personally identifiable information from its customers may consider raising additional capital to invest in enhanced cybersecurity protection, improvements in its information security infrastructure, or employee cybersecurity training.”

The proposed rule also covers cybersecurity governance, including board oversight of cybersecurity risk, how the board is informed about those risks, and management’s role in implementing cybersecurity policies and procedures. Issuers would need to disclose the name, if any, of each board member with cybersecurity expertise and the nature of the expertise. The SEC noted that investors may find this disclosure important as they consider investment in the issuer as well as their votes on electing directors.

Conclusion

The proposed amendments will be put out for a public comment period, which will be either 30 days from when it is published in the Federal Register or 60 days after it is issued, whichever is longer. The sweeping nature of the proposal is likely to generate substantial commentary and serves as a reminder to issuers that cybersecurity issues will continue to be a top priority of SEC rulemaking and enforcement.