The SEC’s Proposed Cybersecurity Disclosure Requirements: What Public Companies Need to Know

March.10.2022

The SEC has proposed new requirements for public companies to disclose information related to cybersecurity incidents and related topics. Here are the key takeaways:

What Happened?

The SEC proposed rules in March 2022 that would require public companies to disclose immediate information on cybersecurity incidents and periodic information on how they govern and manage information security risks. The rules are expected to be finalized in April 2023.

How Will This Affect Public Companies?

The proposed rules envision disclosures in two categories:

Current reporting of material cybersecurity incidents.
Periodic disclosures of cybersecurity risk management, strategy and governance. Companies would have to disclose information on topics that include:
- The policies and procedures used to identify and manage cybersecurity risks, including details about board oversight.
- Cybersecurity’s role in company strategy, financial planning, and capital allocation.
- Management and director oversight and expertise in cybersecurity.

10 Things To Know About the SEC’s Proposed Cybersecurity Disclosure Rules

1. The 8-K disclosure clock starts ticking when a company determines an incident is material

The timing of disclosure of a cybersecurity incident would hinge on when a company determines that an event is material – not discovery of the incident itself. The proposal calls for companies to determine if incidents are material “as soon as reasonably practicable after discovery.” Some have raised concerns about the vagueness of this requirement, especially considering the rapidly evolving nature of information in these incidents. If the SEC adopts the rules as proposed, companies should consider revamping cybersecurity disclosure controls and procedures for quicker, more frequent disclosure decision-making.

2. The proposed rules provide no meaningful new guidance on what constitutes a material incident.

The SEC’s discussion of materiality is high level and draws on existing formulations of the standard. Companies may want to determine how they define “material” and document that to enable better decision-making and provide some cover should the SEC disagree with a company determination.

3. The proposed rules include incidents at certain third-party partners and service providers.

The proposed rules could extend to incidents at third parties like cloud service providers.

They would require disclosure when an issuer’s “information system” is compromised. The proposed rules define these systems as “information resources, owned or used by the registrant… organized for the collection, processing, maintenance, use . . . of the registrant’s information to maintain or support the registrant’s operations.”

This broad definition could sweep in a wide range of incidents, likely including those at cloud infrastructure and service providers—i.e., SaaS, PaaS, and IaaS providers. Issuers may have limited information about such cases because they are not empowered to conduct the investigation, especially in the SaaS context.

Companies should:

Review controls and procedures that apply to third-party incidents.
Evaluate whether contracts with third parties provide the information and cooperation a company would need to promptly assess disclosure obligations.

The proposed rules would require companies to disclose how they take cybersecurity into account in choosing third-party service providers with access to customer and employee data – and how they could mitigate cybersecurity risks from those providers.

4. The proposals include no reporting delay for law enforcement or national security reasons, or because an incident has not been remediated.

The proposed rules provide no mechanism to delay reporting cybersecurity incidents for law enforcement or national security reasons, or because an incident has not yet been remediated. This means that, if the SEC does not change its approach in response to comments pointing out this problem, certain disclosures may cause harm. It is a good idea to begin preparing internal stakeholders now for the difficult decisions that may lie ahead.

5. Companies may need to update previously reported information about incidents.

The proposed rules would require periodic filings to reflect “material changes, additions, or updates” to previously reported information about incidents, which the SEC contemplates will include information about remediation.

Companies may also be required to amend Form 8-K reports to correct information that has become inaccurate over time.

Companies may want to evaluate disclosure controls and procedures to show that they regularly re-evaluate significant cybersecurity incidents.

6. The proposed rules require periodic reporting of incidents that become material only if aggregated.

The agency also proposes that companies disclose in their periodic reports whether incidents that are not material on their own become material when aggregated with other incidents. While companies may already do this as part of regular financial reporting, it may be a good idea to formalize and document quarterly consideration of this question.

7. Companies would have to disclose cybersecurity policies and procedures.

The proposed rules would require a company to “describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats” in their periodic reports. It may be advisable to review those policies and procedures now to ensure comfort with an ultimate public disclosure.

8. The agency proposes sweeping and detailed rules for disclosures about board-level governance.

They include disclosures about:

How the board learns about cybersecurity issues - and how often the board discusses it.
How the board or a committee oversees cybersecurity, including whether the board evaluates risks as part of business strategy, risk management and financial oversight.

This type of disclosure about board governance is unprecedented and may signal a broader SEC interest in the details of board governance. Companies should be sure their boards are ready for the SEC’s changed approach.

9. The SEC wants companies to say which directors have cybersecurity credentials

The proposed rules seek extensive information about directors, including whether they have cybersecurity expertise and details of their expertise. If adopted as proposed, the rules may substantially affect the process by which boards consider and document their own composition.

10. The proposed rules require sharing details of management processes.

The proposed rules also would require a company to say whether it has a chief information security officer and, if so, what experience that person has. The proposed rules also would require companies to say if they use consultants, auditors or other third parties to help assess cybersecurity risks. As a result, companies may want to prepare mockups of how disclosures look today and prepare to adjust practices, if needed.

What’s next?

The proposed rules may change before taking effect – or may not take effect at all, depending on how the agency responds to feedback on its proposal.

Authors

Carolyn Frantz シニア・カウンセル

シアトル

See my bio

Practice:

vCard

See full bio

Carolyn Frantz シニア・カウンセル

シアトル

A former Rhodes Scholar, Carolyn clerked for Supreme Court Justice Sandra Day O’Connor and D.C. Circuit Court of Appeals Judge David S. Tatel, before teaching at the University of Chicago Law School. She was a litigation partner at a major law firm for eight years before joining Microsoft, where she managed the company’s worldwide tax litigation until her appointment as Corporate Secretary.

As Microsoft’s Corporate Secretary, Carolyn had the opportunity to work closely with the company’s Board of Directors and senior leadership, gaining a first-hand understanding of the opportunities and challenges facing technology companies in a dynamic competitive and regulatory environment. As the head of the Corporate Legal Group, Carolyn was responsible for legal issues regarding securities law and disclosures, treasury and finance, international trade, procurement, real estate, and many other issues. Building on her extensive litigation experience, which includes managing tax disputes domestically and abroad, as well as litigating multidistrict products liability, consumer cases, and commercial contract disputes, Carolyn understands the practical challenges companies face and how those intersect with Board reporting, securities disclosures, and internal accountability. She also brings her understanding of board governance, corporate law, and ESG to select litigation matters.

Carolyn is also frequently called on to serve as a resource to new legal leaders in their roles supporting and interacting with their Boards.

Aravind Swaminathan パートナー, Cyber, Privacy & Data Innovation, Class Action Defense

シアトル; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
政府による調査および強制措置
審理
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan パートナー

シアトル; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

J. T. Ho パートナー, 企業ガバナンス, Capital Markets

サンフランシスコ

See my bio

D:+1 415 773 5624
E: [email protected]

Practice:

企業ガバナンス
Capital Markets
Compensation & Benefits
Environmental, Social & Corporate Governance (ESG)

vCard

See full bio

J. T. Ho パートナー

サンフランシスコ

J.T. counsels companies on Board and committee oversight, assessment and composition issues, developing effective shareholder engagement programs and governance-related disclosures, and helps companies to understand and consider the views of proxy advisors and institutional shareholders and other long-term stakeholders in their decision making. Recently, he has helped many companies successfully address ESG related shareholder proposals and activism campaigns and refine their disclosure controls and procedures and enterprise risk management programs to address cybersecurity and climate risk.

On the securities front, he focuses on advising clients in connection with securities offerings, proxy statements, periodic SEC reports, stock exchange listing obligations, stock repurchases and the sale and reporting of securities by insiders. He regularly counsels companies on difficult disclosure issues and provides training on disclosure best practices.

J.T. also advises on compensation committee matters and related disclosures as well as the design of cash and equity incentive plans, and has helped over a dozen companies remediate failed or low "say on pay" votes.

J.T. plays a leading role in Orrick’s ESG practice, helping companies identify and understand the risks and opportunities associated with ESG and incorporating ESG into a company’s overall business strategy and incentive plans. More recently, he has helped companies navigate the growing anti-ESG movement.

J.T. serves on the advisory board of The Corporate Counsel and hosts J.T.'s Fast Five, a monthly podcast on The Corporate Counsel where J.T. covers the five things public companies ought know each month. J.T. Ho also regularly presents on and contributes articles related to corporate governance, securities, executive compensation and ESG. He has presented at notable conferences sponsored by The Corporate Counsel, the Securities Regulation Institute, The Rock Center for Corporate Governance, the Society for Corporate Governance, the ABA, the Practical Law Institute, Compensation Standards, Practical ESG and NASPP. He is recognized as a Next Generation Partner by Legal 500, as one of the Ones to Watch® Best Lawyers in America, and was named a Rising Star by Super Lawyers in 2018, 2019, 2020, 2021 and 2022.

Soo Hwang オブ・カウンセル, Capital Markets, Technology Companies Group

Santa Monica

See my bio

D:+1 310 633 2821
E: [email protected]

Practice:

Capital Markets
Technology Companies Group

vCard

See full bio

Soo Hwang オブ・カウンセル

Santa Monica

Soo counsels public and late-stage private companies on both registered and exempt offerings of securities and assists late-stage private companies as they prepare for their initial public offering. She also advises public companies on matters pertaining to corporate governance, stock exchange listing obligations and SEC reporting and disclosure obligations, including interpreting the latest rules and novel securities law issues.