Today, as predicted here at CPW, a divided SEC voted
to propose new rules that would require public companies
to provide current reports of their material cybersecurity
incidents and periodic disclosures about their cybersecurity
policies and procedures. Just a month after the SEC’s cybersecurity proposal for advisers
and funds, the new proposed rules would apply to all public
companies that are subject to the reporting requirements of the
1934 Exchange Act (“registrants”). The SEC justifies the
new proposed regulations by citing the growing threat of serious
cybersecurity attacks and the utility of consistent and comparable
cybersecurity information for investors to more efficiently
allocate capital.
The proposal would impose two new types of disclosure
requirements on registrants: (1) disclosure of cybersecurity
incidents and (2) disclosure of cybersecurity risk management,
strategy, and governance.
- Disclosure of Cybersecurity Incidents
The most notable requirement of the proposal is that it would
amend Form 8-K (through new Item 1.05) to require registrants to
disclose information about a “material cybersecurity
incident” within four business days after the registrant has
determined that the incident it suffered is material. While the
proposal defines “cybersecurity incident” to mean
“an unauthorized occurrence on or conducted through a
registrant’s information systems that jeopardizes the
confidentiality, integrity, or availability of a registrant’s
information systems or any information residing therein”
(proposed 17 C.F.R. §229.106(d)), whether a cybersecurity
incident is “material” will be determined by the standard
applicable to other securities laws: whether “there is a
substantial likelihood that a reasonable shareholder would consider
it important.”
The proposal enumerates certain information registrants would be
required to disclose about any material cybersecurity incident,
including “(1) [w]hen the incident was discovered and whether
it is ongoing; (2) [a] brief description of the nature and scope of
the incident; (3) [w]hether any data was stolen, altered, accessed,
or used for any other unauthorized purpose; (4) [t]he effect of the
incident on the registrant’s operations; and (5) [w]hether the
registrant has remediated or is currently remediating the
incident.” Importantly, the proposal’s four business day
reporting deadline “would not provide for a reporting delay
when there is an ongoing internal or external investigation related
to the cybersecurity incident” and the SEC acknowledges that
“there is a possibility a registrant would be required to
disclose the incident on Form 8-K even though it could delay
incident reporting under a particular state law.”
In addition to mandating current disclosures about cybersecurity
incidents, the proposal’s new Item 106(d) of Regulation S-K
would require registrants to provide-through a registrant’s
quarterly Form 10-Q or annual Form 10-K-any material changes or
updates to previously disclosed cybersecurity incidents. Item
106(d)(2) would also require disclosure “when a series of
previously undisclosed individually immaterial cybersecurity
incidents become material in the aggregate.”
Finally, foreign private issuers would be required to disclose
cybersecurity incident information through a similar current
report, Form 6-K, and similar annual report, Form 20-F.
- Disclosure of Cybersecurity Risk Management, Strategy,
and Governance
Apart from the cybersecurity incident reporting, the proposal
would amend Regulation S-K and Form 20-F to require “enhanced
and standardized disclosure on registrants’ cybersecurity risk
management, strategy, and governance.” As to risk management
and strategy, proposed Item 106(b)(1) to Regulation S-K would
require registrants to adequately describe the procedures the
registrant has, if any, for the “identification and management
of risks from cybersecurity threats,” with eight enumerated
subtopics. See proposed 17 C.F.R. §229.106(b)(1).
These subtopics include, among other things, a discussion of
whether “[t]he registrant engages assessors, consultants,
auditors, or other third parties in connection with any
cybersecurity risk assessment program” and whether
“[c]ybersecurity related risks and previous cybersecurity
related incidents have affected or are reasonably likely to affect
the registrant’s strategy, business model, results of
operations, or financial condition and if so, how.”
Id. §229.106(b)(1)(ii), (vii).
As to cybersecurity governance, registrants would have to
describe their board’s “oversight of cybersecurity
risk,” including identifying which board members or committees
oversee cybersecurity risks and the frequency with which the board
discusses cybersecurity risks. Id. § 229.106(c)(1).
Outside of the boardroom, the proposal would also require
disclosure of how the registrant’s management assesses
cybersecurity-related risks, including a description of the persons
or committees managing cybersecurity risk and a description of the
expertise of any chief information security officer.
Finally, Item 407 of Regulation S-K would be amended to require
registrants to disclose information about the cybersecurity
expertise of members of the board of the directors, if any.
§229.407(j). “If any member of the board has
cybersecurity expertise, the registrant would have to disclose the
name(s) of any such director(s), and provide such detail as
necessary to fully describe the nature of the expertise.” This
disclosure would be required in the registrant’s Form 10-K and
in any proxy or information statement with respect to the election
of directors.
The proposed rules are open to public comment and may be revised
before an eventual SEC vote for final approval.
Today’s proposal continues a flurry of recent cybersecurity
policy actions by the SEC. In a public address early last month, SEC Chair
Gary Gensler outlined six areas where he had asked SEC staff to
consider cybersecurity-related regulations. With the announcements
of proposed SEC rules affecting public companies and investment
advisers, there remains a strong possibility of further
cybersecurity proposals addressing the remaining areas identified
by Chair Gensler in that address and his statement accompanying today’s proposal:
broker-dealers, Regulation SCI, Regulation S-P, and third-party
financial service providers. In other words, there may be much more
to come. CPW will be there to keep you in the loop.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
