The SEC’s Proposed New Cybersecurity Disclosure Requirements: Key Takeaways for Issuers

March.10.2022

The SEC has proposed new disclosure rules for public companies regarding cybersecurity incidents and related policies and procedures. We will discuss in a forthcoming post practical considerations and best practices that registrants should consider now – regardless of how these proposed rules ultimately are codified. Today, we summarize the proposed new disclosures, which fall into two categories:

  1. Incident reporting: disclosure of material cybersecurity incidents on Current Reports on Form 8-K (Form 6-K for Foreign Private Issuers (“FPIs”)), and

  2. Periodic disclosure of cybersecurity risk management, strategy, and governance: addition of Item 106 to Regulation S-K (and corresponding Item 16.J to Form 20-F for FPIs) and amendment of Item 407 of Regulation S-K and Form 20-F to require reporting of an issuer’s internal approach to cybersecurity, which would require disclosing, among, other things (i) policies and procedures to identify and manage cybersecurity risks, (ii) the role of cybersecurity in company strategy, financial planning, and capital allocation, (iii) board oversight, (iv) management’s role and expertise, and (v) the names of any directors with cybersecurity expertise, and such detail as necessary to fully describe the nature of the expertise.

The proposed rules are subject to a comment period of at least 60 days, which could be longer if publication in the Federal Register is substantially delayed. 

At a high level, the proposed rules align with expectations and track existing practices of many companies. Many issuers already file Current Reports on Form 8-K for material cybersecurity events, and, following guidance issued by the SEC in 2011 and 2018, have established processes for determining the materiality of cybersecurity events, whether disclosure is warranted, and documenting that determination. Also following the SEC’s earlier guidance, many companies already disclose in proxy statements elements of board oversight of cybersecurity risks. In large part due to expectations from third-party ratings systems utilized by key stakeholders, many companies also disclose even more detail about their cybersecurity risk management practices. For example, in January 2021, the methodology used by Institutional Shareholder Services for its governance QualityScore was changed to include certain more detailed factors regarding information security.

Any companies that do not already do those things should consider them now. Some aspects of the SEC’s proposed rules, however, are likely to cause controversy, and potentially change current issuer practice more broadly. Given these aspects, we expect the proposed rules may be altered in response to comments. Regardless, we believe issuers should consider proactive steps now – even those that have already responded to prior SEC guidance and shareholder preferences. With respect to incident reporting, these steps are already considered best practices. With respect to strategy, risk management, and governance, the steps are preliminary, intended to give issuers the opportunity to prepare earlier for potentially significant new requirements.

Incident Reporting

The SEC’s proposed rules would require an issuer to timely disclose material cybersecurity incidents on a Current Report on Form 8-K, including specified information about the nature of the incident.

  • The timing of the 8-K would be tied to an issuer’s determination that the incident is material, not discovery of the incident itself. The SEC previously signaled some discomfort about this choice, noting the concern that issuers should not be allowed to unreasonably delay their determinations and the corresponding disclosure. To address this concern, the SEC included an instruction that “a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of an incident.” To offset the impact of this uncertainty, the SEC has proposed that untimely filing would not result in the loss of Form S-3 or Form F-3 eligibility, and that the safe harbor from liability under Section 10(b) or Rule 10(b)-5 of the Exchange Act apply to these filings. We nonetheless expect comments to call out concerns about the vagueness of this requirement, especially in light of the typically uncertain and rapidly evolving information about these incidents. If the SEC’s formulation is ultimately adopted, we expect issuers to revamp their cybersecurity disclosure controls and procedures to include quicker and more frequent decision-points. You may want to consider making these changes now.

  • The SEC has not provided any meaningful new guidance on what constitutes a material cybersecurity incident. Although issuers likely would have benefitted from greater clarity on what the SEC believes constitutes a material cybersecurity incident, it was not provided in this proposed rule. The SEC’s discussion of materiality is, unfortunately, very high level and draws exclusively on existing formulations of the standard. Increased expectations for disclosure, combined with limited guidance from the SEC, supports incorporating additional detail about what counts as “material” for your company in your cybersecurity disclosures and procedures, especially given the temptation to “lean in” to disclosure in uncertain situations.

  • The proposed rules potentially extend to incidents at third party-partners and service providers that support the business and operations of the registrant. Specifically, the SEC’s proposed rules would require disclosure when an issuer’s “information system” is compromised. These “information systems” are defined as “information resources, owned or used by the registrant…. organized for the collection, processing, maintenance, use . . . of the registrant’s information to maintain or support the registrant’s operations.” This broad definition potentially sweeps in a wide range of incidents, likely including those at cloud infrastructure and service providers—i.e., SaaS, PaaS, and IaaS providers—about which an issuer may have limited information because (especially in the SaaS context) the issuer is not empowered to conduct the investigation. In anticipation of the upcoming rule, you should consider your incident response processes for third party incidents, and specifically whether your existing disclosure controls and procedures are designed to effectively address third-party incidents. You should also consider whether your contracts with these third parties provide for the information and cooperation that you need to assess your disclosure obligations.

  • The SEC’s proposed rules would require certain updates. In addition to requiring disclosure on Current Reports on Form 8-K, the proposed rules require that periodic filings reflect any “material changes, additions, or updates” to previously reported information, which the SEC contemplates will include information about remediation. This proposed focus on remediation is not surprising given the SEC’s clear focus in recent enforcement inquiries on the company’s remediation efforts, and specifically whether (and to what extent) the company deviated or did not follow guidance issued by governmental agencies, such as CISA. In addition, the proposed rules would require issuers to disclose in their periodic reports incidents that, while not individually material, have become material when aggregated with other incidents. The SEC was also careful to footnote, however, that in some circumstances, periodic reporting may not be sufficient, and the issuer may have a duty to file an amended Current Report on Form 8-K to correct information that has, over time, become inaccurate or materially misleading. This too is not surprising and appears to be an effort to enact into rules the enforcement position the SEC has taken in recent cybersecurity related enforcement actions and settlements. Given this focus on updates, you should consider evaluating your disclosure controls and procedures now to make sure they provide for regular and appropriate reevaluation of each significant cybersecurity incident.

  • There is no mechanism to delay reporting cybersecurity incidents for law enforcement or national security reasons. Although the SEC noted that state laws provide for delay of disclosure of cybersecurity incidents if requested by law enforcement (see, for instance, California Civil Code 1798.82), it determined that, on balance, investors’ need for information trumped these concerns. This was the primary basis cited by Commissioner Peirce in opposing the proposed rules, and the SEC specifically invited comments on whether the Attorney General should be able to request a delay in disclosure for national security reasons.

Risk Management, Strategy, and Governance

The SEC’s proposed rules also provide for certain disclosures about issuers’ risk management, strategy, and governance. These are sweeping and surprisingly detailed. For instance, the SEC proposes requiring disclosure about the role cybersecurity plays in a company’s strategy, financial planning, and capital allocation, its mechanisms for mitigating cybersecurity risks introduced by third parties with access to company data, how frequently the board discussed cybersecurity and the processes by which it is informed, and whether a company has a Chief Information Security Officer as well as that individual’s expertise and company reporting lines. The SEC has also proposed requiring disclosure about the cybersecurity expertise of individual directors. Notably, the proposed requirements would require unusually detailed disclosure about:

  • Board processes. The proposed rules go beyond disclosure of whether the full board or a designated committee oversees cybersecurity, to require disclosure of “the processes by which the board is informed about cybersecurity risks, and its frequency of discussions on this topic” and “whether or how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.” With the possible exception of certain disclosure requirements about financial controls, it is hard to think of any disclosure requirement that digs so deeply into a board’s internal processes. While the SEC has previously adopted requirements that compel issuers to periodically engage in certain risk analyses (for instance, the rules requiring disclosure of market risks or the rules requiring disclosure of material adverse risks arising from compensation programs), it is highly unusual for the SEC to require disclosure about how often the board performs oversight of any particular risk or strategic opportunity, and the processes by which it engages in that oversight, placing emphasis on frequency as opposed to on quality. This one-size-fits-all, detailed approach is an abrupt change to the SEC’s steady movement over the last decade towards a principals-based approach to public disclosure. We expect to see commentary about this change in the SEC’s willingness to peer into the boardroom, which, if adopted, may signal a wholesale change in the agency’s perspective on board governance. As many boards are already focused on cybersecurity risk, you should work with your advisors to consider whether the proposed rules warrant further evolution of your existing practices.

  • Director skills and experience. Similarly, the SEC’s proposed rules would require an issuer not only to disclose whether any directors have expertise in cybersecurity, but also to “provide such detail as necessary to fully describe the nature of the expertise.” Even existing requirements for disclosure of audit committee financial experts do not require that the issuer disclose the board’s justification for making that determination. Again, this requirement would indicate the SEC’s willingness to look more deeply into the inner workings of the board than previously contemplated. If the rules are adopted as proposed, the process by which boards consider and document their own composition may be substantially impacted. You should consider now the composition of your board, the skills of the board (particularly as they relate to cybersecurity), and how you document determinations that skills and expertise of your directors achieve the goals of the company.

  • Management processes. Lastly, the SEC’s approach would ask issuers to reveal greater detail about their internal management processes than have historically been required. Not only would an issuer have to disclose whether or not it has a Chief Information Security Officer, it would have to disclose that person’s background and reporting line. The issuer would also have to report whether it uses “assessors, consultants, auditors, or other third parties” to help assess cybersecurity risk. The issuer would also have to disclose how it takes cybersecurity into consideration in choosing third party service providers with access to customer and employee data, and how it mitigates cybersecurity risks from those providers. In anticipation of these rules, you may wish to mock up how such a disclosure would look today, so you can adjust your management practices if desired.