The SEC has proposed new requirements for public companies to disclose information related to cybersecurity incidents and related topics. Here are the key takeaways:
The SEC proposed rules in March 2022 that would require public companies to disclose immediate information on cybersecurity incidents and periodic information on how they govern and manage information security risks. The rules are expected to be finalized in April 2023.
How Will This Affect Public Companies?
The proposed rules envision disclosures in two categories:
10 Things To Know About the SEC’s Proposed Cybersecurity Disclosure Rules
1. The 8-K disclosure clock starts ticking when a company determines an incident is material
The timing of disclosure of a cybersecurity incident would hinge on when a company determines that an event is material – not discovery of the incident itself. The proposal calls for companies to determine if incidents are material “as soon as reasonably practicable after discovery.” Some have raised concerns about the vagueness of this requirement, especially considering the rapidly evolving nature of information in these incidents. If the SEC adopts the rules as proposed, companies should consider revamping cybersecurity disclosure controls and procedures for quicker, more frequent disclosure decision-making.
2. The proposed rules provide no meaningful new guidance on what constitutes a material incident.
The SEC’s discussion of materiality is high level and draws on existing formulations of the standard. Companies may want to determine how they define “material” and document that to enable better decision-making and provide some cover should the SEC disagree with a company determination.
3. The proposed rules include incidents at certain third-party partners and service providers.
The proposed rules could extend to incidents at third parties like cloud service providers.
They would require disclosure when an issuer’s “information system” is compromised. The proposed rules define these systems as “information resources, owned or used by the registrant… organized for the collection, processing, maintenance, use . . . of the registrant’s information to maintain or support the registrant’s operations.”
This broad definition could sweep in a wide range of incidents, likely including those at cloud infrastructure and service providers—i.e., SaaS, PaaS, and IaaS providers. Issuers may have limited information about such cases because they are not empowered to conduct the investigation, especially in the SaaS context.
The proposed rules would require companies to disclose how they take cybersecurity into account in choosing third-party service providers with access to customer and employee data – and how they could mitigate cybersecurity risks from those providers.
4. The proposals include no reporting delay for law enforcement or national security reasons, or because an incident has not been remediated.
The proposed rules provide no mechanism to delay reporting cybersecurity incidents for law enforcement or national security reasons, or because an incident has not yet been remediated. This means that, if the SEC does not change its approach in response to comments pointing out this problem, certain disclosures may cause harm. It is a good idea to begin preparing internal stakeholders now for the difficult decisions that may lie ahead.
5. Companies may need to update previously reported information about incidents.
The proposed rules would require periodic filings to reflect “material changes, additions, or updates” to previously reported information about incidents, which the SEC contemplates will include information about remediation.
Companies may also be required to amend Form 8-K reports to correct information that has become inaccurate over time.
Companies may want to evaluate disclosure controls and procedures to show that they regularly re-evaluate significant cybersecurity incidents.
6. The proposed rules require periodic reporting of incidents that become material only if aggregated.
The agency also proposes that companies disclose in their periodic reports whether incidents that are not material on their own become material when aggregated with other incidents. While companies may already do this as part of regular financial reporting, it may be a good idea to formalize and document quarterly consideration of this question.
7. Companies would have to disclose cybersecurity policies and procedures.
The proposed rules would require a company to “describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats” in their periodic reports. It may be advisable to review those policies and procedures now to ensure comfort with an ultimate public disclosure.
8. The agency proposes sweeping and detailed rules for disclosures about board-level governance.
They include disclosures about:
This type of disclosure about board governance is unprecedented and may signal a broader SEC interest in the details of board governance. Companies should be sure their boards are ready for the SEC’s changed approach.
9. The SEC wants companies to say which directors have cybersecurity credentials
The proposed rules seek extensive information about directors, including whether they have cybersecurity expertise and details of their expertise. If adopted as proposed, the rules may substantially affect the process by which boards consider and document their own composition.
10. The proposed rules require sharing details of management processes.
The proposed rules also would require a company to say whether it has a chief information security officer and, if so, what experience that person has. The proposed rules also would require companies to say if they use consultants, auditors or other third parties to help assess cybersecurity risks. As a result, companies may want to prepare mockups of how disclosures look today and prepare to adjust practices, if needed.
The proposed rules may change before taking effect – or may not take effect at all, depending on how the agency responds to feedback on its proposal.