On March 9, 2022, the Securities and Exchange Commission (SEC) proposed rules that would require disclosure of the occurrence of, and developments related to, material cybersecurity incidents. The proposed rules would also require annual disclosure by public companies of their cybersecurity risk management policies, procedures and strategy, including the role of the board and whether the directors on the board have cybersecurity expertise. The proposed rules, with limited exceptions, will apply to foreign private issuers (FPIs).
The proposed rules are subject to a public comment period that will remain open until the later of May 9, 2022 and 30 days following publication of the proposing release in the Federal Register.
The proposed rules would require reporting in a Current Report on Form 8-K of cybersecurity incidents within four business days of a determination that the incident is material, with a requirement to provide material updates of previously disclosed cybersecurity incidents in Quarterly Reports on Form 10-Q and Annual Reports on Form 10-K. The proposed rules would also require periodic disclosures regarding a company’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, the board’s oversight of cybersecurity risk and the expertise of the board in cybersecurity (if any). The proposed rules would also require cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
The SEC has over the last few years identified cybersecurity risks and risk management as a key area of disclosure reform. With this rule proposal, the SEC has moved well past its previous focus on whether a public company’s risk factor disclosure presents the full cybersecurity risk that it faces. The proposed rules significantly expand the current SEC interpretative guidance related to cybersecurity disclosures issued in 2018, which we described in our related client publication, SEC Adopts Interpretive Guidance On Cybersecurity Disclosures. The new rules follow increased SEC enforcement related to cybersecurity disclosures. In recent SEC enforcement actions, the SEC has asserted that a cybersecurity incident could trigger a finding of a failure of internal control over financial reporting and a company’s response to a cybersecurity incident could reveal weaknesses in its disclosure controls and procedures. The SEC has also scrutinized statements made by public companies in connection with the announcement of a cybersecurity incident and found them misleading. We discuss these recent cybersecurity developments in our article, The SEC Double-Clicks on Cybersecurity, which is included in our Corporate Governance & Executive Compensation Survey 2021.
In the proposed rules, the SEC to attempting to address its concern that cybersecurity incidents continue to be underreported by public companies despite a significant increase in material cybersecurity threats in recent years. The SEC staff has observed that certain cybersecurity incidents have been reported in the media but not disclosed in company filings and that, even when disclosures about cybersecurity breaches are made, they are not always timely. For instance, the SEC noted that, according to Audit Analytics data, in 2020 it took on average 44 days for companies to discover breaches and an additional 53 days to disclose the breach after its discovery. The SEC asserts that the proposed amendments are thus intended to better inform investors about a company’s risk management, strategy and governance and to provide timely notification of material cybersecurity incidents.
The proposed rules are the latest in a series of cybersecurity-related rules proposed by the SEC, which include proposed rules relating to cybersecurity risk management for investment advisers, registered investment companies and business development companies that were published on February 9, 2022. SEC Chair Gary Gensler has also asked the SEC staff to make further recommendations with respect to broker-dealers, Regulation SCI and intermediaries’ requirements regarding customer notices (Regulation S-P), all of which is in recognition that the SEC views cybersecurity as one of the most significant risks that investors need to consider and market participants need to address.
The proposed rules would add new Item 1.05 to Form 8-K, requiring companies to disclose specific information about a cybersecurity incident within four business days after it determines that it has experienced a material cybersecurity incident.
The proposed rules would require a company to disclose the following information about a material cybersecurity incident, to the extent the information is known at the time of the Form 8‑K filing:
The four-business day reporting deadline would commence from the date on which a company determines that a cybersecurity incident is material, rather than the date that the company discovers the incident. The proposed rules require that a materiality determination regarding a cybersecurity incident be made as soon as reasonably practicable after discovery of the incident.
Information would be considered material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if the information would have significantly altered the ‘total mix’ of information made available. Materiality assessments should consider both quantitative and qualitative factors.
In the context of cybersecurity, the materiality assessment is informed by a whole range of potential losses that cybersecurity incidents could cause, including business interruption and loss of revenue, reputational damage and the costs of remediation, litigation, and insurance that could arise from incidents such as ransomware attacks, distributed denial-of-service attacks and the compromise or exfiltration of data.
The SEC’s proposing release includes the following non-exclusive list of examples of cybersecurity incidents that may trigger a Form 8-K filing if determined by the company to be material:
The proposed rules do not permit a company to delay reporting a material cybersecurity incident if there is an ongoing internal or external investigation or if law enforcement requests that a company delay public disclosure. While the SEC recognized that a delay in reporting may facilitate law enforcement investigations, the SEC indicated that, on balance, their current view is that timely disclosure to investors of material cybersecurity incidents justifies not permitting a delay to disclosure.
The proposing release stated that the Commission would not expect a company to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the company’s response or remediation of the incident.
The proposed rules also amend Form S-3 to provide that a failure to timely disclose a material cybersecurity incident under Item 1.05 of Form 8-K would not result in the loss of eligibility to use Form S-3.
The proposed rules would amend Form 10-K and Form 10-Q to add new Item 106 of Regulation S-K, which would require companies to update information regarding cybersecurity incidents previously disclosed in Form 8-K. Companies would also be required to disclose, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.
The SEC considers this new requirement as balancing the need for prompt and timely disclosure of material cybersecurity incidents with the recognition that companies may not have complete information about an incident at the time it is required to make a Form 8-K disclosure.
The proposed new Item 106 would require disclosure in Form 10-Q and Form 10-K of material changes, additions or updates to material cybersecurity incidents that were previously disclosed on Form 8-K.
The proposing release provided the following non-exclusive list of examples of the type of disclosure that should be provided, as applicable:
A company would also be required to disclose in a Form 10-Q or Form 10-K, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate. If a company makes such a determination, it would be required to make the following disclosures in the Form 10-Q or Form 10-K for the period in which such a determination was made:
The proposed new Item 106 of Regulation S-K would also require a company to provide the following disclosure in their Form 10-K regarding its policies and procedures related to cybersecurity risk management:
Cybersecurity Risk Management and Strategy
The proposed rules would require companies to disclose in the Form 10-K their policies and procedures (if any) to identify and manage cybersecurity risks and threats, including operational risk, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal risk and reputational risk.
Specifically, the proposed rules would require disclosure, as applicable, of whether:
The proposed rules require disclosure of the cybersecurity policies and procedures only to the extent such policies and procedures exist, but the SEC acknowledges that the proposed rules in the current form would not require a company to affirmatively disclose if it has not established cybersecurity policies or procedures along any of the factors listed above.
Board Oversight of Cybersecurity
The proposed rules would also require disclosure in the Form 10-K of the board’s oversight of cybersecurity risk, which would include the following information:
Management’s Role in Cybersecurity
The proposed rules would require disclosure in Form 10-K of the experience of management as it relates to managing cybersecurity risk, including the following information:
The proposed rules would amend Item 407 of Regulation S-K to require disclosure in the proxy statement or the Form 10-K of the names of any member of the board that has “cybersecurity expertise,” as well as such detail as necessary to describe the nature of the expertise.
The proposed rules build upon the existing disclosure requirements in Item 401(e) of Regulation S-K (business experience of directors) and Item 407(h) of Regulation S-K (board risk oversight).
The proposed rules do not define cybersecurity expertise, but include the following non-exclusive list of criteria that a company should consider in reaching a determination on whether a director has expertise in cybersecurity:
The proposed rules provide that a director who is determined to have cybersecurity expertise will not be deemed an expert for any purpose, including, for purposes of Section 11 of the Securities Act. Consistent with the rules that apply to an audit committee financial expert, a director that is designated to have cybersecurity expertise does not have greater duties or obligations than other directors and, similarly, the existence of a director that has cybersecurity expertise does not lower the duties and obligations of the other directors in relation to the oversight of cybersecurity matters.
The proposed rules require that the disclosures be presented in Inline XBRL. The proposed rules require block text tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed within the narrative disclosures.
The use of Inline XBRL tagging of cybersecurity disclosures makes the disclosures more easily accessible to market participants by enabling aggregation, comparison, filtering and other analysis of the tagged disclosures.
The proposed rules amend Form 20-F to require that FPIs provide cybersecurity disclosures in their annual reports filed on Form 20-F. The proposed rules are consistent with the disclosures required to be made by domestic issuers in their annual reports, although since FPIs are not subject to SEC rules for proxy or information statement filings, no proxy statement disclosures are required for FPIs.
Canadian FPIs who use the SEC’s multijurisdictional disclosure system (MJDS) are excluded from the scope of the proposed rules.
Unlike domestic companies, FPIs are not required to file Current Reports on Form 8-K. Instead, they are required to furnish on Form 6-K copies of all information that the FPI (i) makes or is required to make public under the laws of its jurisdiction of incorporation or domicile, (ii) files or is required to file under the rules of any stock exchange (where such information is made public by the stock exchange), or (iii) otherwise distributes or is required to distribute to its security holders. The proposed rules amend Form 6-K by adding “cybersecurity incidents” as a reporting topic, meaning that the information required to be furnished on Form 6-K includes information which is material with respect to the company and its subsidiaries concerning cybersecurity incidents.
In its proposing release, the SEC stated that, as with the proposed Item 1.05 of Form 8-K for domestic companies, the proposed change to Form 6-K is intended to provide timely cybersecurity incident disclosure in a manner that is consistent with the general purpose and use of Form 6-K. Furthermore, with respect to incident disclosure, where an FPI has previously reported an incident on Form 6-K, the proposed amendments would require annual reports on Form 20-F to contain an update regarding such incidents, consistent with proposed Item 106 of Regulation S-K.
In contrast to the position for domestic companies, a four-business day reporting deadline was not included in the proposed amendments to Form 6-K. A Form 6-K must be furnished to the SEC promptly after the relevant material included in the Form 6-K is published (which, as a matter of best practice, is typically the same business day that the company publishes the information in satisfaction of a local law or stock exchange requirement).
The failure to make a timely Form 6-K disclosure does not result in the loss of eligibility to use Form F-3.
One of the most obvious impacts of the proposed rules is the four-business day reporting deadline, which is a central part of the SEC’s approach to requiring more timely disclosure of cybersecurity incidents. It is certain that some form of the proposed Form 8-K reporting of material cybersecurity incidents will be included in the final rules, so companies should begin to prepare now.
Companies should ensure that their disclosure committees are directly connected to those individuals in the company who are responsible for evaluating and reporting of the occurrence of a cybersecurity incident. Companies should review the escalation procedures within their information security teams that relate to identifying when cybersecurity incidents occur in order to ensure that there is a reporting line to the disclosure committee (or those responsible for making disclosure and materiality assessments). The disclosure committee should maintain these lines of communication after the occurrence of a cybersecurity incident as the scope and severity of an incident is uncovered so that timely materiality assessments can be made. Companies should advise their information security teams of the importance to track connected minor cybersecurity incidents so an assessment can be made as to whether any periodic disclosure requirement is triggered if individually immaterial cybersecurity incidents becoming material in the aggregate.
Companies should also be mindful that the four-business day disclosure deadline does not take into consideration any other provisions of law (such as state or local data protection laws) that may permit or mandate a delay in notifying the public about material cybersecurity incidents. Therefore, companies should consider how the timing of potential SEC-required disclosures may impact their existing regulatory or contractual obligations.
Given the high level of specificity in the disclosure rules, companies and boards should consider reviewing their cybersecurity policies and procedures. Although, the final rules are not in place, given the statements by a majority of the Commission, including the Chair of the SEC, we should expect final rules that adopt many of the proposed disclosure requirements related to cybersecurity risk management policies and procedures.
Although the proposed rules do not mandate policy and governance changes, companies should consider how “gaps” in disclosures relative to the new rules will be perceived by investors. Additionally, the SEC could adopt a final rule that require companies to affirmatively identify gaps in cybersecurity policies relative to the new rules and explain the reason for those gaps.
The proposed rules requires companies to identify directors that have cybersecurity expertise, as well as the nature of the expertise. While the new rules do not mandate cybersecurity expertise on the board, and companies that do not have directors with cybersecurity expertise are not required to affirmatively disclose such lack of expertise, companies may nonetheless feel pressure to ensure that their board includes directors with cybersecurity expertise. Recruiting directors with cybersecurity expertise has become very challenging as these candidates are highly sought after by many public companies. For those companies whose cybersecurity risk profile may be lower than tech or consumer-facing companies or those companies that handle sensitive personal data, it remains to be seen whether this new disclosure requirement will place pressure on these companies to also add cybersecurity expertise to the board.
The SEC is seeking comments on the proposed rules from interested parties.
The SEC posed various specific questions for commenters to consider in their responses, some of which are presented below:
We would be pleased to assist you in preparing of a comment letter in response to these questions or other portions of the proposed rules. Please reach out to your Shearman & Sterling contacts for assistance.
Special thanks to visiting attorney Pedro de Elizalde and associate Jessica Kelly (both Capital Markets) who contributed to this publication.
 See TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976), Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988), and Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011).