The SEC has proposed new disclosure rules for public companies regarding cybersecurity incidents and related policies and procedures. We will discuss in a forthcoming post practical considerations and best practices that registrants should consider now – regardless of how these proposed rules ultimately are codified. Today, we summarize the proposed new disclosures, which fall into two categories:
The proposed rules are subject to a comment period of at least 60 days, which could be longer if publication in the Federal Register is substantially delayed.
At a high level, the proposed rules align with expectations and track existing practices of many companies. Many issuers already file Current Reports on Form 8-K for material cybersecurity events, and, following guidance issued by the SEC in 2011 and 2018, have established processes for determining the materiality of cybersecurity events, whether disclosure is warranted, and documenting that determination. Also following the SEC’s earlier guidance, many companies already disclose in proxy statements elements of board oversight of cybersecurity risks. In large part due to expectations from third-party ratings systems utilized by key stakeholders, many companies also disclose even more detail about their cybersecurity risk management practices. For example, in January 2021, the methodology used by Institutional Shareholder Services for its governance QualityScore was changed to include certain more detailed factors regarding information security.
Any companies that do not already do those things should consider them now. Some aspects of the SEC’s proposed rules, however, are likely to cause controversy, and potentially change current issuer practice more broadly. Given these aspects, we expect the proposed rules may be altered in response to comments. Regardless, we believe issuers should consider proactive steps now – even those that have already responded to prior SEC guidance and shareholder preferences. With respect to incident reporting, these steps are already considered best practices. With respect to strategy, risk management, and governance, the steps are preliminary, intended to give issuers the opportunity to prepare earlier for potentially significant new requirements.
The SEC’s proposed rules would require an issuer to timely disclose material cybersecurity incidents on a Current Report on Form 8-K, including specified information about the nature of the incident.
The SEC’s proposed rules also provide for certain disclosures about issuers’ risk management, strategy, and governance. These are sweeping and surprisingly detailed. For instance, the SEC proposes requiring disclosure about the role cybersecurity plays in a company’s strategy, financial planning, and capital allocation, its mechanisms for mitigating cybersecurity risks introduced by third parties with access to company data, how frequently the board discussed cybersecurity and the processes by which it is informed, and whether a company has a Chief Information Security Officer as well as that individual’s expertise and company reporting lines. The SEC has also proposed requiring disclosure about the cybersecurity expertise of individual directors. Notably, the proposed requirements would require unusually detailed disclosure about: