U.S. Securities and Exchange Commission Proposes New Rules on Cybersecurity and Incident Disclosure

|

Introduction

The landscape of both cybersecurity and privacy continues to evolve rapidly. For example, more states are adopting comprehensive consumer privacy bills, most recently Utah, a trend that continues to put pressure on companies to integrate measures to protect consumer privacy. In the data security space, the U.S. Securities and Exchange Commission (“SEC” or the “Commission”) has recently stepped up its efforts to regulate cybersecurity. On March 9, 2022, the SEC took a significant step toward increasing its role in regulating cybersecurity by proposing new cybersecurity risk management, strategy, governance, and incident disclosure rules for parties who are subject to its authority. In the announcement, the SEC acknowledged cybersecurity as an ever-growing risk. The proposed rules will require reporting material cybersecurity incidents within four days. They will also require periodic disclosures regarding policies and procedures related to cybersecurity risks, management’s roles in implementing these policies and procedures, the board of directors' cybersecurity expertise and oversight of cybersecurity risk, and updates on previously reported cybersecurity incidents.

The SEC’s proposed rules are designed to better inform investors about companies' risk management, strategy, and governance, and also inform investors of material cybersecurity incidents. The SEC cited the need for consistent, comparable, and decision-useful disclosures in a fact sheet on its proposal.

The proposed new disclosure requirements would apply to various filings, including current reports, periodic reports, and certain proxy statements filed with the SEC. Parties likely to be affected by the proposed rules include investors, registrants, other market participants that use the information in these filings, as well as consumers and other companies in the same industry as affected firms.

Background

The SEC has provided guidance on cybersecurity in the past and devotes an entire section of its website to the topic, which includes numerous topical resources for visitors. In 2011 and 2018, the SEC published significant guidance on cybersecurity disclosures. This previous guidance instructed companies to disclose material cybersecurity risks and incidents in a timely fashion. The newly proposed rules, however, provide significantly more specific requirements regarding disclosures.

Why now?

Over recent years, the world has moved to an increasing, and almost primary, usage of digital technology and electronic communications. The COVID-19 pandemic has contributed to the widespread growth of digitized and virtual economic activities. With a more digitally connected world, there is a substantial growth in digital payments and a shift to third-party providers for information technology work, all providing bad actors with an increased ability to monetize cybersecurity incidence. These are all significant factors that the SEC cited in issuing the proposed rules. Cyber risk is becoming the most critical governance-related issue for investors, and investors are seeking information regarding companies’ cyber risk management, strategy, and governance practices. Accordingly, the SEC believes investors could benefit from more timely and consistent disclosure about material cybersecurity incidents.

Despite the previous guidance, the SEC noticed that some cybersecurity incidents were reported in the media but not disclosed in a company’s filings. Furthermore, the amount of information regarding scope, cause, impact, and materiality varied between companies reporting incidents. The SEC believes these proposed rules will allow investors to receive more consistent and meaningful disclosures regarding cybersecurity incidents.

Key changes to the SEC Disclosures

  • Disclosure of cybersecurity incidents required on Form 8-K within four days of determining it is a material incident
  • Periodic reporting on previously reported cybersecurity incidents
  • Disclosures about cybersecurity policies and risk management
  • Disclosures about board governance regarding cybersecurity policies and risk management

Disclosure of material cybersecurity incidents on Form 8-K

Companies are required under the proposed rules to disclose information about cybersecurity incidents within four days after the registrant determines it has experienced a material cybersecurity incident. Required in this disclosure is, to the extent known:

  • When the company discovered the incident and whether it is ongoing;
  • A brief description of the nature and scope of the incident;
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • The effect of the incident on the registrant’s operations; and
  • Whether the company has remediated or is currently remediating the incident.

Importantly, the SEC is not expecting specific technical information about the company’s response, its systems, or system vulnerabilities that would impede the response to or remediation of the incident. The SEC highlights that companies do not have to worry about making themselves more vulnerable by making these disclosures. Notably, the trigger date is not the discovery of the incident, but it is when the company determines that the incident is material. This detail does not mean companies can kick the can down the road and wait at length to make the determination. The proposed rules require the determination to be made as “reasonably practicable after discovery of the incident.”

An incident is material if there is a substantial likelihood that its disclosure would have been considered significant by a reasonable investor. Plenty of cases have addressed “materiality” regarding the SEC’s regulations. See TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano. Companies need to carefully assess incidents in light of the circumstances from a reasonable investor's perspective.

Disclosure of cybersecurity incidents in periodic reports of previously reported cybersecurity incidents

The initial disclosure of a cybersecurity incident is not the end of a company’s disclosure obligations. The proposed rules require periodic disclosures regarding previously reported cybersecurity incidents. These additional disclosures would include:

  • Additional material information scope or whether any data was stolen or altered;
  • Any material impact of the incident on operations or financial condition;
  • Any potential material future impacts on registrant operations and financial condition;
  • Whether company has remediated or currently remediating the incident; and
  • Any changes in registrant policies and procedures because of a cyber incident and how the incident may have informed such changes.

These periodic disclosures also require disclosure of material cybersecurity incidents that have become material by aggregation and would require the same information that the Form 8-K reporting requires.

Disclosures about cybersecurity policies and risk management

The proposed rules also require periodic disclosures about a company’s cybersecurity policy and risk management. These disclosures include:

  • Companies’ policies and procedures for identifying and managing cybersecurity risks;
  • Company’s cybersecurity governance, including the board of directors' oversight role regarding cybersecurity risks; and
  • Management role, and relevant expertise, in assessing and managing cybersecurity-related risks and implementing related policies and procedures and strategies.

These requirements intend to provide more consistent and informative disclosure regarding cyber risk. The SEC is also specifically concerned with third parties and asks for disclosure, including whether the company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program.

Disclosures about board governance regarding cybersecurity policies and risk management

The proposed rules require disclosures regarding board oversight of the registrant's cybersecurity risk and inclusion or exclusion of management from the oversight of cybersecurity risks, and the implementation of related policies, procedures, and strategies impacts an investor’s ability to understand how a registrant prepares for, prevents, or responds to a cybersecurity incident. This requirement includes whether the board or specific members or committees are responsible for oversight of cybersecurity risks. Also required is the disclosing how the board is informed about cybersecurity and how the board considers cybersecurity risks as part of business strategy, risk management, and financial oversight. This obligation includes disclosure of board roles and how frequently reports are given to the board on cybersecurity risk and specifically calls out the disclosure of any member of the board with cybersecurity expertise.

Dissenting statement

Interestingly, not everyone is on board with the SEC’s proposed disclosure rules. Commissioner Hester M. Peirce dissented, arguing that Congress gave the Commission a more limited role regarding cybersecurity. She argued that the governance disclosure amounts to micromanagement by the Commission of the company boards and management. Commissioner Peirce also contends the Commission is not best suited to evaluate cybersecurity for all companies, and she also believes the 2018 guidance is sufficient. Commissioner Peirce also noted that the tension between incident reporting requirements might interfere with the partnership with other partners around the federal and state government. Delaying disclosure may increase the chances of recovery of funds or detection of a wrongdoer. Thus, temporary relief from disclosure may best protect investors.

Timeframe

Comments must be received by May 9, 2022, or 30 days after the date of publication in the Federal Register. After comments are received, the SEC will evaluate the comments and may make additional changes to address the concerns raised in the public comments. The SEC will then issue the final rules.

Looking ahead

The proposed rules require advisers and funds to develop cyber policies and procedures. They also require companies to report and update on cyber incidents. With the overall goal to further protect investors from cybersecurity incidents, these proposed rules also add record-keeping requirements to improve the availability of cyber-related information and facilitate SEC inspection and enforcement capabilities.

Incident disclosure requires notice in a short period, but a question remains as to when the materiality determination needs to be made. While the reporting of material incidents was already an SEC requirement, these new proposed rules require the disclosure of specific facts about the breach and the response. The four-day deadline does indicate that the SEC will likely seek to enforce prompt reporting on incidents. Still, any allowance of a delay is absent from the proposed rule to facilitate law enforcement investigation. Notably, some states allow notification to be delayed in cases where it would assist law enforcement in recovering funds or identifying the wrongdoer.

The required disclosure of cybersecurity policies and risk management is equivalent to requiring companies to have these policies and programs. Disclosure of these policies and procedures will likely lead to SEC enforcement against companies that have deficient policies or risk management programs. The SEC is not a cybersecurity regulator and may not be the best agency to determine what policies or programs best address cybersecurity threats.

Conclusion

The SEC clearly indicates that it intends to take a more significant role in regulating cybersecurity with these new proposed rules. Companies should prepare for further SEC scrutiny into risk management and cybersecurity policies. Special care should be taken in security incidents to identify when an incident becomes material. Companies should consider whether their policies and risk management programs are sufficient and how the board governs cyber-related risk.

For additional information on this topic, please contact Martin Tully at mtully@redgravellp.com.

The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.