December 6, 2022

Volume XII, Number 340


December 06, 2022

Subscribe to Latest Legal News and Analysis

December 05, 2022

Subscribe to Latest Legal News and Analysis

BREAKING: SEC Proposes Cybersecurity Disclosure Rules for Public Companies

Today, as predicted here at CPW, a divided SEC voted to propose new rules that would require public companies to provide current reports of their material cybersecurity incidents and periodic disclosures about their cybersecurity policies and procedures.  Just a month after the SEC’s cybersecurity proposal for advisers and funds, the new proposed rules would apply to all public companies that are subject to the reporting requirements of the 1934 Exchange Act (“registrants”).  The SEC justifies the new proposed regulations by citing the growing threat of serious cybersecurity attacks and the utility of consistent and comparable cybersecurity information for investors to more efficiently allocate capital.

The proposal would impose two new types of disclosure requirements on registrants: (1) disclosure of cybersecurity incidents and (2) disclosure of cybersecurity risk management, strategy, and governance.

  1. Disclosure of Cybersecurity Incidents

The most notable requirement of the proposal is that it would amend Form 8-K (through new Item 1.05) to require registrants to disclose information about a “material cybersecurity incident” within four business days after the registrant has determined that the incident it suffered is material.  While the proposal defines “cybersecurity incident” to mean “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein” (proposed 17 C.F.R. §229.106(d)), whether a cybersecurity incident is “material” will be determined by the standard applicable to other securities laws: whether “there is a substantial likelihood that a reasonable shareholder would consider it important.”

The proposal enumerates certain information registrants would be required to disclose about any material cybersecurity incident, including “(1) [w]hen the incident was discovered and whether it is ongoing; (2) [a] brief description of the nature and scope of the incident; (3) [w]hether any data was stolen, altered, accessed, or used for any other unauthorized purpose; (4) [t]he effect of the incident on the registrant’s operations; and (5) [w]hether the registrant has remediated or is currently remediating the incident.”  Importantly, the proposal’s four business day reporting deadline “would not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident” and the SEC acknowledges that “there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law.”

In addition to mandating current disclosures about cybersecurity incidents, the proposal’s new Item 106(d) of Regulation S-K would require registrants to provide—through a registrant’s quarterly Form 10-Q or annual Form 10-K—any material changes or updates to previously disclosed cybersecurity incidents.  Item 106(d)(2) would also require disclosure “when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.”

Finally, foreign private issuers would be required to disclose cybersecurity incident information through a similar current report, Form 6-K, and similar annual report, Form 20-F.

  1. Disclosure of Cybersecurity Risk Management, Strategy, and Governance

Apart from the cybersecurity incident reporting, the proposal would amend Regulation S-K and Form 20-F to require “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy, and governance.”   As to risk management and strategy, proposed Item 106(b)(1) to Regulation S-K would require registrants to adequately describe the procedures the registrant has, if any, for the “identification and management of risks from cybersecurity threats,” with eight enumerated subtopics.  See proposed 17 C.F.R. §229.106(b)(1).  These subtopics include, among other things, a discussion of whether “[t]he registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program” and whether “[c]ybersecurity related risks and previous cybersecurity related incidents have affected or are reasonably likely to affect the registrant’s strategy, business model, results of operations, or financial condition and if so, how.”  Id.  §229.106(b)(1)(ii), (vii).

As to cybersecurity governance, registrants would have to describe their board’s “oversight of cybersecurity risk,” including identifying which board members or committees oversee cybersecurity risks and the frequency with which the board discusses cybersecurity risks.  Id. § 229.106(c)(1).  Outside of the boardroom, the proposal would also require disclosure of how the registrant’s management assesses cybersecurity-related risks, including a description of the persons or committees managing cybersecurity risk and a description of the expertise of any chief information security officer.

Finally, Item 407 of Regulation S-K would be amended to require registrants to disclose information about the cybersecurity expertise of members of the board of the directors, if any.  §229.407(j).  “If any member of the board has cybersecurity expertise, the registrant would have to disclose the name(s) of any such director(s), and provide such detail as necessary to fully describe the nature of the expertise.”  This disclosure would be required in the registrant’s Form 10-K and in any proxy or information statement with respect to the election of directors.

The proposed rules are open to public comment and may be revised before an eventual SEC vote for final approval.

Today’s proposal continues a flurry of recent cybersecurity policy actions by the SEC.  In a public address early last month, SEC Chair Gary Gensler outlined six areas where he had asked SEC staff to consider cybersecurity-related regulations.  With the announcements of proposed SEC rules affecting public companies and investment advisers, there remains a strong possibility of further cybersecurity proposals addressing the remaining areas identified by Chair Gensler in that address and his statement accompanying today’s proposal: broker-dealers, Regulation SCI, Regulation S-P, and third-party financial service providers.  In other words, there may be much more to come.  

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 69

About this Author

Joseph Weinstein, Litigation Attorney, squire Patton Boggs Law Firm

Joseph C. Weinstein has more than 25 years of experience handling high-stakes, complex disputes in courts and arbitrations nationwide. His extensive experience covers a wide range of subjects including complex business transactions, contract disputes, securities fraud, shareholder derivative, directors and officers’ liability, antitrust/unfair competition, product liability and consumer fraud. He regularly serves as lead counsel in class actions and in multidistrict litigation. 

Sean L. McGrane Attorney Litigation Squire Patton Boggs Cleveland

Sean McGrane is a litigation partner who focuses his practice on defending corporations and their officers and directors against civil securities-fraud claims, shareholder derivative actions, and mergers and acquisition lawsuits. His practice includes representing clients in investigations or proceedings brought by governmental or other regulatory agencies, including the US Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority. Before joining the firm, Sean practiced securities litigation in the New York offices of Skadden, Arps, Slate...

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

James M. Brennan Litigation Lawyer Squire Patton Boggs

James (Jim) Brennan is an associate in the Litigation Practice Group, where he represents clients in complex commercial litigation matters in state and federal courts. Prior to joining the firm, Jim clerked for Chief Judge D. Brooks Smith of the US Court of Appeals for the Third Circuit. Before that, he was an associate at an AmLaw 100 law firm in New York City.