Today, as predicted here at CPW, a divided SEC voted to propose new rules that would require public companies to provide current reports of their material cybersecurity incidents and periodic disclosures about their cybersecurity policies and procedures. Just a month after the SEC’s cybersecurity proposal for advisers and funds, the new proposed rules would apply to all public companies that are subject to the reporting requirements of the 1934 Exchange Act (“registrants”). The SEC justifies the new proposed regulations by citing the growing threat of serious cybersecurity attacks and the utility of consistent and comparable cybersecurity information for investors to more efficiently allocate capital.
The proposal would impose two new types of disclosure requirements on registrants: (1) disclosure of cybersecurity incidents and (2) disclosure of cybersecurity risk management, strategy, and governance.
Disclosure of Cybersecurity Incidents
The most notable requirement of the proposal is that it would amend Form 8-K (through new Item 1.05) to require registrants to disclose information about a “material cybersecurity incident” within four business days after the registrant has determined that the incident it suffered is material. While the proposal defines “cybersecurity incident” to mean “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein” (proposed 17 C.F.R. §229.106(d)), whether a cybersecurity incident is “material” will be determined by the standard applicable to other securities laws: whether “there is a substantial likelihood that a reasonable shareholder would consider it important.”
The proposal enumerates certain information registrants would be required to disclose about any material cybersecurity incident, including “(1) [w]hen the incident was discovered and whether it is ongoing; (2) [a] brief description of the nature and scope of the incident; (3) [w]hether any data was stolen, altered, accessed, or used for any other unauthorized purpose; (4) [t]he effect of the incident on the registrant’s operations; and (5) [w]hether the registrant has remediated or is currently remediating the incident.” Importantly, the proposal’s four business day reporting deadline “would not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident” and the SEC acknowledges that “there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law.”
In addition to mandating current disclosures about cybersecurity incidents, the proposal’s new Item 106(d) of Regulation S-K would require registrants to provide—through a registrant’s quarterly Form 10-Q or annual Form 10-K—any material changes or updates to previously disclosed cybersecurity incidents. Item 106(d)(2) would also require disclosure “when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.”
Finally, foreign private issuers would be required to disclose cybersecurity incident information through a similar current report, Form 6-K, and similar annual report, Form 20-F.
Disclosure of Cybersecurity Risk Management, Strategy, and Governance
Apart from the cybersecurity incident reporting, the proposal would amend Regulation S-K and Form 20-F to require “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy, and governance.” As to risk management and strategy, proposed Item 106(b)(1) to Regulation S-K would require registrants to adequately describe the procedures the registrant has, if any, for the “identification and management of risks from cybersecurity threats,” with eight enumerated subtopics. See proposed 17 C.F.R. §229.106(b)(1). These subtopics include, among other things, a discussion of whether “[t]he registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program” and whether “[c]ybersecurity related risks and previous cybersecurity related incidents have affected or are reasonably likely to affect the registrant’s strategy, business model, results of operations, or financial condition and if so, how.” Id. §229.106(b)(1)(ii), (vii).
As to cybersecurity governance, registrants would have to describe their board’s “oversight of cybersecurity risk,” including identifying which board members or committees oversee cybersecurity risks and the frequency with which the board discusses cybersecurity risks. Id. § 229.106(c)(1). Outside of the boardroom, the proposal would also require disclosure of how the registrant’s management assesses cybersecurity-related risks, including a description of the persons or committees managing cybersecurity risk and a description of the expertise of any chief information security officer.
Finally, Item 407 of Regulation S-K would be amended to require registrants to disclose information about the cybersecurity expertise of members of the board of the directors, if any. §229.407(j). “If any member of the board has cybersecurity expertise, the registrant would have to disclose the name(s) of any such director(s), and provide such detail as necessary to fully describe the nature of the expertise.” This disclosure would be required in the registrant’s Form 10-K and in any proxy or information statement with respect to the election of directors.
The proposed rules are open to public comment and may be revised before an eventual SEC vote for final approval.
Today’s proposal continues a flurry of recent cybersecurity policy actions by the SEC. In a public address early last month, SEC Chair Gary Gensler outlined six areas where he had asked SEC staff to consider cybersecurity-related regulations. With the announcements of proposed SEC rules affecting public companies and investment advisers, there remains a strong possibility of further cybersecurity proposals addressing the remaining areas identified by Chair Gensler in that address and his statement accompanying today’s proposal: broker-dealers, Regulation SCI, Regulation S-P, and third-party financial service providers. In other words, there may be much more to come.