On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed amendments to its rules to require disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.[1]
If adopted after a 60-day comment period following publication in the Federal Register, the proposed amendments would require:
If the SEC’s rules are adopted as proposed, public companies would need to:
For over a decade, the SEC and its staff have been focused on disclosures that public companies make about cybersecurity risks.
On October 13, 2011, the SEC’s Division of Corporation Finance issued disclosure guidance to assist public companies “in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.”[2] CF Disclosure Guidance Topic No. 2 reviewed the applicability of existing SEC disclosure requirements to cybersecurity concerns, noting that: (i) businesses increasingly focus or rely on internet communications and remote data storage; (ii) risks and potential costs associated with cyber attacks and inadequate cyber security are increasing; and (iii) as with other operational and financial risks and events, companies should, on an ongoing basis, review the adequacy of disclosure relating to cybersecurity risks and other cyber incidents.
On February 20, 2018, the SEC issued interpretive guidance, which noted that public companies should take all required actions “to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”[3] The SEC noted in this guidance the importance of disclosure controls and procedures “that provide an appropriate method of discerning the impact that such matters may have on the issuer and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.” In addition, the 2018 Interpretive Release noted that “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.” The SEC indicated that companies should have policies and procedures in place to: (i) guard against directors, officers, and other corporate insiders taking advantage of the period between the issuer’s discovery of a cybersecurity incident and public disclosure of the incident to trade based on material nonpublic information about the incident; and (ii) help ensure that the issuer makes timely disclosure of any related material nonpublic information.
Over the past decade, the SEC has also brought numerous enforcement actions against public companies that experienced material cybersecurity incidents, alleging that the companies failed to adequately disclose such incidents and/or failed to have appropriate disclosure controls and procedures in place to facilitate the timely disclosure of material cybersecurity incidents. The SEC has also brought insider trading actions against individuals who traded in a company’s securities while in possession of material nonpublic information regarding a material cybersecurity incident.
The SEC has now proposed rule amendments that it believes will standardize and enhance disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies, which “are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”
Based on a growing concern that “material cybersecurity incidents are underreported and that existing reporting may not be sufficiently timely,” the SEC proposes to require that companies disclose material cybersecurity incidents in a Current Report on Form 8-K within four business days after the company determines that it has experienced a material cybersecurity incident.
The SEC proposes to amend Form 8-K by adding new Item 1.05, which would require a company to disclose the following information about a material cybersecurity incident, to the extent the information is known when the company files the Form 8-K:
In the Proposing Release, the SEC notes that while companies would be required to provide disclosure responsive to the enumerated items to the extent known at the time of filing of the Item 1.05 Form 8-K, the SEC “would not expect a registrant to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”
The SEC notes that the proposed trigger for an Item 1.05 Form 8-K is the date on which a company determines that a cybersecurity incident it has experienced is material, rather than the date of discovery of the incident. The SEC indicates that, in some cases, the date of the company’s materiality determination could coincide with the date of discovery of the cybersecurity incident, while in other situations the materiality determination could occur after the discovery date. In order to address the concern that some companies may delay making such a determination to avoid triggering a disclosure obligation, Instruction 1 to proposed Item 1.05 states: “a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.”
The SEC also notes that what constitutes “materiality” for purposes of this disclosure item would be consistent with the established principles of materiality articulated in numerous court decisions.[4] In this regard, information is considered material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the “total mix” of information made available. The Proposing Release states:
A materiality analysis is not a mechanical exercise, nor should it be based solely on a quantitative analysis of a cybersecurity incident. Rather, registrants would need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material. Even if the probability of an adverse consequence is relatively low, if the magnitude of the loss or liability is high, the incident may still be material; materiality ‘depends on the significance the reasonable investor would place on’ the information.
The SEC indicates that, under the proposed rules, when a cybersecurity incident occurs, companies would need to “carefully assess whether the incident is material in light of the specific circumstances presented by applying a well-reasoned, objective approach from a reasonable investor’s perspective based on the total mix of information.”
The SEC provides a non-exclusive list of examples of cybersecurity incidents that may, if determined by the company to be material, trigger the disclosure requirement in proposed Item 1.05 on Form 8-K:
The SEC notes that proposed Item 1.05 would not provide for a delay in filing the required Form 8-K when there is an ongoing internal or external investigation related to the cybersecurity incident. Consistent with the guidance that the SEC provided in the 2018 Interpretive Release, the SEC is of the view that while an ongoing investigation might affect the specifics of the disclosure that is provided, the ongoing internal or external investigation is not, on its own, a basis to avoid disclosure of a material cybersecurity incident. The SEC continues to recognize that a delay in reporting may facilitate law enforcement investigations aimed at apprehending the perpetrators of the cybersecurity incident and preventing future cybersecurity incidents, but, on balance, the SEC believes that that the importance of timely disclosure of cybersecurity incidents for investors justifies not providing for a reporting delay.
The SEC also observes that a company may have obligations to report incidents at the state or federal level, which are distinct from the company’s obligations to disclose material information under the federal securities laws. As a result, there is a possibility that a company would be required to disclose a cybersecurity incident pursuant to Item 1.05 of Form 8-K, even when the company could delay reporting the incident under other applicable laws.
Recognizing the difficult materiality judgments that would need to be made in determining whether an Item 1.05 Form 8-K would be required, the SEC proposes to add Item 1.05 to the list of Form 8-K items specified in General Instruction I.A.3.(b) of Form S-3 and General Instruction I.A.2 of Form SF-3, so that the untimely filing of an Item 1.05 Form 8-K would not result in a loss of Form S-3 or Form SF-3 eligibility, so long as Form 8-K reporting is current at the time the Form S-3 or SF-3 is filed. The SEC has also proposed amendments to Exchange Act Rules 13a-11(c) and 15d-11(c) to include Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Exchange Act Section 10(b) and Exchange Act Rule 10b5-1.
The SEC is proposing to require periodic disclosures (e.g., in Annual Reports on Form 10-K and Quarterly Reports on Form 10-Q) about updates regarding previously reported cybersecurity incidents and individually immaterial cybersecurity incidents that become material in the aggregate.
Proposed Item 106(d)(1) of Regulation S-K would require companies to disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K in a company’s Quarterly Report on Form 10-Q or Annual Report on Form 10-K for the period (the company’s fourth fiscal quarter in the case of an annual report) in which the material change, addition, or update occurred. For example, the SEC notes a situation where, after filing the initial Form 8-K disclosure about a material cybersecurity incident, the company becomes aware of additional material information about the scope of the cybersecurity incident and whether any data was stolen or altered. Under the proposed Item 106(d)(1) disclosure requirement, the company would need to provide updates that allow investors to stay informed about those developments. The SEC also notes that a company may be able to provide information under proposed Item 106(d)(1) about the effect of the previously reported cybersecurity incident on its operations, as well as a description of remedial steps it has taken, or plans to take, in response to the incident when that information was not available at when the company filed the initial Form 8-K.
Proposed Item 106(d)(1) of Regulation S-K provides the following non-exclusive examples of the type of disclosure that should be provided, if applicable:
The SEC indicates in the Proposing Release that, notwithstanding the disclosure requirement in proposed Item 106(d)(1) of Regulation S-K, there may be situations where a company would need to file an amended Form 8-K to correct disclosure from the initial Item 1.05 Form 8-K, such as where that disclosure becomes inaccurate or materially misleading as a result of subsequent developments regarding the incident. For example, the SEC notes that if the impact of the incident is determined after the initial Item 1.05 Form 8-K filing to be significantly more severe than previously disclosed, an amended Form 8-K may be required.
Proposed Item 106(d)(2) of Regulation S-K would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. As a result of this proposed disclosure requirement, companies would be required to analyze related cybersecurity incidents for materiality, both individually and in the aggregate. If the related cybersecurity incidents become material in the aggregate, a company would need to disclose:
In the Proposing Release, the SEC provides an example where one malicious actor engages in a number of smaller (but continuous) cyber-attacks, related in time and form, against the same company and collectively these attacks are either quantitatively or qualitatively material, or both. The SEC notes that such incidents would need to be disclosed in the periodic report for the period in which a company has made a determination that the incidents are material in the aggregate.
The SEC is proposing to require periodic disclosures about a company’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and oversight of cybersecurity risk by the board of directors.
The SEC proposes Item 106(b) of Regulation S-K to require companies to provide disclosure regarding their cybersecurity risk management and strategy. Proposed Item 106(b) would require companies to disclose their policies and procedures, if they have any, to identify and manage cybersecurity risks and threats, including: (i) operational risk; (ii) intellectual property theft; (iii) fraud; (iv) extortion; (v) harm to employees or customers; (vi) violation of privacy laws and other litigation and legal risk; and (vii) reputational risk. Specifically, proposed Item 106(b) of Regulation S-K would require disclosure, as applicable, of whether:
The SEC is proposing that Item 106(c) of Regulation S-K would require disclosure of a company’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the company’s cybersecurity policies, procedures, and strategies.
With respect to the board’s oversight of cybersecurity risk, disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following:
Proposed Item 106(c)(2) of Regulation S-K would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the company’s cybersecurity policies, procedures, and strategies, including, but not be limited to, the following information:
Proposed Item 106(a) of Regulation S-K would define the terms “cybersecurity incident,” “cybersecurity threat,” and “information systems,” as used in proposed Item 106 and proposed Form 8-K Item 1.05, as follows:
The SEC notes that these definitions are derived from a number of pre-existing sources identified in the Proposing Release. The SEC also notes that what constitutes a “cybersecurity incident” for purposes of the proposed rules “should be construed broadly and may result from any one or more of the following: an accidental exposure of data, a deliberate action or activity to gain unauthorized access to systems or to steal or alter data, or other system compromises or data breaches.”
The SEC proposes to amend Item 407 of Regulation S-K by adding paragraph (j) to require disclosure about the cybersecurity expertise of members of the board of directors of the company, if any. If any member of the board has cybersecurity expertise, the company would be required to disclose the name(s) of any such director(s) and provide such details as necessary to fully describe the nature of the expertise. These proposed disclosure requirements would build upon the existing disclosure requirements in Item 401(e) of Regulation S-K (business experience of directors) and Item 407(h) of Regulation S-K (board risk oversight). The proposed Item 407(j) disclosure would be required in a company’s proxy or information statement when action is to be taken with respect to the election of directors, and in the company’s Annual Report on Form 10-K (either directly or through incorporation by reference from the proxy statement).
Proposed Item 407(j)(1)(ii) would include the following non-exclusive list of criteria that a company should consider to determine whether a director has expertise in cybersecurity:
Proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act of 1933, as amended, as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407(j). This proposed safe harbor “is intended to clarify that Item 407(j) would not impose on such person any duties, obligations, or liability that are greater than the duties, obligations, and liability imposed on such person as a member of the board of directors in the absence of such designation or identification.”
Foreign private issuers are not required to file Current Reports on Form 8-K, and instead must furnish on Form 6-K copies of all information that the foreign private issuer: (i) makes, or is required to make, public under the laws of its jurisdiction of incorporation; (ii) files, or is required to file, under the rules of any stock exchange; or (iii) otherwise distributes to its security holders. The SEC proposes to amend General Instruction B of Form 6-K to reference material cybersecurity incidents among the items that may trigger a current report on Form 6-K. The SEC notes that, as with proposed Item 1.05 of Form 8-K, the proposed change to Form 6-K “is intended to provide timely cybersecurity incident disclosure in a manner that is consistent with the general purpose and use of Form 6-K.”
Where a foreign private issuer has previously reported an incident on Form 6-K, the SEC’s proposed amendments would require disclosure of material changes, additions, or updates regarding such incident, consistent with proposed Item 106(d)(1) of Regulation S-K. The SEC proposes to amend Form 20-F to require that foreign private issuers disclose on an annual basis information regarding any previously undisclosed material cybersecurity incidents that have occurred during the reporting period, including a series of previously undisclosed individually immaterial cybersecurity incidents that has become material in the aggregate.
The SEC proposes to amend Form 20-F to add Item 16J, which would require a foreign private issuer to include in its Annual Report on Form 20-F the same type of disclosure that the SEC proposes to require in Items 106 and 407(j) of Regulation S-K.
The SEC proposes to require that companies tag the information specified by Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K in Inline XBRL in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual. The proposed tagging requirements would include block text tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed within the narrative disclosures.
The SEC’s proposed amendments represent a significant step in the SEC’s long-term efforts to promote greater transparency regarding cybersecurity incidents. The SEC proposes to move past reliance on existing disclosure requirements and interpretive guidance by creating an entirely new disclosure regime that will apply to current disclosure of cybersecurity incidents and periodic disclosure of companies’ efforts to prevent such incidents from occurring and/or having an adverse impact. If adopted, the disclosure requirements will require companies to evaluate and adapt their existing disclosure controls and procedures and governance structures around cybersecurity risk.
[1] Release No. 33-11038, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Mar. 9, 2022), available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf (the “Proposing Release”).
[2] CF Disclosure Guidance: Topic No. 2 – Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
[3] Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459
(Feb. 26, 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf (the “2018 Interpretive Release”).
[4] See, e.g., TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976); Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); and Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011).