Shearman And Sterling

privacy, data protection, privacy notice

March 14, 2022

SEC Proposes New Cybersecurity Disclosure Rules

Subscribe

Jump to...

 

SEC PROPOSES NEW CYBERSECURITY DISCLOSURE RULES

On March 9, 2022, the Securities and Exchange Commission (SEC) proposed rules that would require disclosure of the occurrence of, and developments related to, material cybersecurity incidents. The proposed rules would also require annual disclosure by public companies of their cybersecurity risk management policies, procedures and strategy, including the role of the board and whether the directors on the board have cybersecurity expertise. The proposed rules, with limited exceptions, will apply to foreign private issuers (FPIs).

The proposed rules are subject to a public comment period that will remain open until the later of May 9, 2022 and 30 days following publication of the proposing release in the Federal Register.

Overview

The proposed rules would require reporting in a Current Report on Form 8-K of cybersecurity incidents within four business days of a determination that the incident is material, with a requirement to provide material updates of previously disclosed cybersecurity incidents in Quarterly Reports on Form 10-Q and Annual Reports on Form 10-K. The proposed rules would also require periodic disclosures regarding a company’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, the board’s oversight of cybersecurity risk and the expertise of the board in cybersecurity (if any). The proposed rules would also require cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).

The SEC has over the last few years identified cybersecurity risks and risk management as a key area of disclosure reform. With this rule proposal, the SEC has moved well past its previous focus on whether a public company’s risk factor disclosure presents the full cybersecurity risk that it faces. The proposed rules significantly expand the current SEC interpretative guidance related to cybersecurity disclosures issued in 2018, which we described in our related client publication, SEC Adopts Interpretive Guidance On Cybersecurity Disclosures. The new rules follow increased SEC enforcement related to cybersecurity disclosures. In recent SEC enforcement actions, the SEC has asserted that a cybersecurity incident could trigger a finding of a failure of internal control over financial reporting and a company’s response to a cybersecurity incident could reveal weaknesses in its disclosure controls and procedures. The SEC has also scrutinized statements made by public companies in connection with the announcement of a cybersecurity incident and found them misleading. We discuss these recent cybersecurity developments in our article, The SEC Double-Clicks on Cybersecurity, which is included in our Corporate Governance & Executive Compensation Survey 2021.

In the proposed rules, the SEC to attempting to address its concern that cybersecurity incidents continue to be underreported by public companies despite a significant increase in material cybersecurity threats in recent years. The SEC staff has observed that certain cybersecurity incidents have been reported in the media but not disclosed in company filings and that, even when disclosures about cybersecurity breaches are made, they are not always timely. For instance, the SEC noted that, according to Audit Analytics data, in 2020 it took on average 44 days for companies to discover breaches and an additional 53 days to disclose the breach after its discovery. The SEC asserts that the proposed amendments are thus intended to better inform investors about a company’s risk management, strategy and governance and to provide timely notification of material cybersecurity incidents.

The proposed rules are the latest in a series of cybersecurity-related rules proposed by the SEC, which include proposed rules relating to cybersecurity risk management for investment advisers, registered investment companies and business development companies that were published on February 9, 2022. SEC Chair Gary Gensler has also asked the SEC staff to make further recommendations with respect to broker-dealers, Regulation SCI and intermediaries’ requirements regarding customer notices (Regulation S-P), all of which is in recognition that the SEC views cybersecurity as one of the most significant risks that investors need to consider and market participants need to address.

Proposed Rules

Form 8-K Reporting of Material Cybersecurity Incidents

The proposed rules would add new Item 1.05 to Form 8-K, requiring companies to disclose specific information about a cybersecurity incident within four business days after it determines that it has experienced a material cybersecurity incident.

The proposed rules would require a company to disclose the following information about a material cybersecurity incident, to the extent the information is known at the time of the Form 8‑K filing:

  • when the incident was discovered and whether it is ongoing;
  • a brief description of the nature and scope of the incident;
  • whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • the effect of the incident on the registrant’s operations; and
  • whether the registrant has remediated or is currently remediating the incident.

The four-business day reporting deadline would commence from the date on which a company determines that a cybersecurity incident is material, rather than the date that the company discovers the incident. The proposed rules require that a materiality determination regarding a cybersecurity incident be made as soon as reasonably practicable after discovery of the incident.

Information would be considered material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if the information would have significantly altered the ‘total mix’ of information made available. Materiality assessments should consider both quantitative and qualitative factors.[1]

In the context of cybersecurity, the materiality assessment is informed by a whole range of potential losses that cybersecurity incidents could cause, including business interruption and loss of revenue, reputational damage and the costs of remediation, litigation, and insurance that could arise from incidents such as ransomware attacks, distributed denial-of-service attacks and the compromise or exfiltration of data.

The SEC’s proposing release includes the following non-exclusive list of examples of cybersecurity incidents that may trigger a Form 8-K filing if determined by the company to be material:

  • an unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system or network) or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
  • an unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
  • an incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant;
  • an incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
  • an incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

The proposed rules do not permit a company to delay reporting a material cybersecurity incident if there is an ongoing internal or external investigation or if law enforcement requests that a company delay public disclosure. While the SEC recognized that a delay in reporting may facilitate law enforcement investigations, the SEC indicated that, on balance, their current view is that timely disclosure to investors of material cybersecurity incidents justifies not permitting a delay to disclosure.

The proposing release stated that the Commission would not expect a company to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the company’s response or remediation of the incident.

The proposed rules also amend Form S-3 to provide that a failure to timely disclose a material cybersecurity incident under Item 1.05 of Form 8-K would not result in the loss of eligibility to use Form S-3.

Disclosure of Cybersecurity Incidents in Periodic Reports

The proposed rules would amend Form 10-K and Form 10-Q to add new Item 106 of Regulation S-K, which would require companies to update information regarding cybersecurity incidents previously disclosed in Form 8-K. Companies would also be required to disclose, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.

The SEC considers this new requirement as balancing the need for prompt and timely disclosure of material cybersecurity incidents with the recognition that companies may not have complete information about an incident at the time it is required to make a Form 8-K disclosure.

Updates to Previously Disclosed Material Cybersecurity Incidents

The proposed new Item 106 would require disclosure in Form 10-Q and Form 10-K of material changes, additions or updates to material cybersecurity incidents that were previously disclosed on Form 8-K.

The proposing release provided the following non-exclusive list of examples of the type of disclosure that should be provided, as applicable:

  • any material impact of the incident on the company’s operations and financial condition;
  • any potential material future impacts on the company’s operations and financial condition;
  • whether the company has remediated or is currently remediating the incident; and
  • any changes in the company’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.

Disclosure of Individually Immaterial Cybersecurity Incidents that have Become Material in the Aggregate

A company would also be required to disclose in a Form 10-Q or Form 10-K, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate. If a company makes such a determination, it would be required to make the following disclosures in the Form 10-Q or Form 10-K for the period in which such a determination was made:

  • a general description of when the incidents were discovered and whether they are ongoing;
  • a brief description of the nature and scope of the incidents;
  • whether any data was stolen or altered in connection with the incidents;
  • the effect of the incidents on the registrant’s operations; and
  • whether the registrant has remediated or is currently remediating the incidents.

Disclosure of Cybersecurity Policies and Governance

Overview

The proposed new Item 106 of Regulation S-K would also require a company to provide the following disclosure in their Form 10-K regarding its policies and procedures related to cybersecurity risk management:

  • policies and procedures, if any, for identifying and managing cybersecurity risks;
  • the role of the board in overseeing cybersecurity risks; and
  • management’s role and relevant expertise in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies.

Cybersecurity Risk Management and Strategy

The proposed rules would require companies to disclose in the Form 10-K their policies and procedures (if any) to identify and manage cybersecurity risks and threats, including operational risk, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal risk and reputational risk.

Specifically, the proposed rules would require disclosure, as applicable, of whether:

  • the company has a cybersecurity risk assessment program and if so, provide a description of such program;
  • the company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
  • the company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third party service provider, including whether and how cybersecurity considerations affect the selection and oversight of these providers;
  • the company undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
  • the company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
  • previous cybersecurity incidents have informed changes in the company’s governance, policies and procedures, or technologies;
  • cybersecurity related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition and if so, how; and
  • cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation and if so, how.

The proposed rules require disclosure of the cybersecurity policies and procedures only to the extent such policies and procedures exist, but the SEC acknowledges that the proposed rules in the current form would not require a company to affirmatively disclose if it has not established cybersecurity policies or procedures along any of the factors listed above.

Board Oversight of Cybersecurity

The proposed rules would also require disclosure in the Form 10-K of the board’s oversight of cybersecurity risk, which would include the following information:

  • whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
  • the processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
  • whether and how the board or board committee considers cybersecurity risks as part of the registrant’s business strategy, risk management and financial oversight.

Management’s Role in Cybersecurity

The proposed rules would require disclosure in Form 10-K of the experience of management as it relates to managing cybersecurity risk, including the following information:

  • whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
  • whether the registrant has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons;
  • the processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
  • whether and how frequently such persons or committees report to the board or a committee of the board on cybersecurity risk.

Cybersecurity Expertise of the Board

The proposed rules would amend Item 407 of Regulation S-K to require disclosure in the proxy statement or the Form 10-K of the names of any member of the board that has “cybersecurity expertise,” as well as such detail as necessary to describe the nature of the expertise.

The proposed rules build upon the existing disclosure requirements in Item 401(e) of Regulation S-K (business experience of directors) and Item 407(h) of Regulation S-K (board risk oversight).

The proposed rules do not define cybersecurity expertise, but include the following non-exclusive list of criteria that a company should consider in reaching a determination on whether a director has expertise in cybersecurity:

  • whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager or business continuity planner;
  • whether the director has obtained a certification or degree in cybersecurity; and
  • whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling or business continuity planning.

The proposed rules provide that a director who is determined to have cybersecurity expertise will not be deemed an expert for any purpose, including, for purposes of Section 11 of the Securities Act. Consistent with the rules that apply to an audit committee financial expert, a director that is designated to have cybersecurity expertise does not have greater duties or obligations than other directors and, similarly, the existence of a director that has cybersecurity expertise does not lower the duties and obligations of the other directors in relation to the oversight of cybersecurity matters.

Inline XBRL

The proposed rules require that the disclosures be presented in Inline XBRL. The proposed rules require block text tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed within the narrative disclosures.

The use of Inline XBRL tagging of cybersecurity disclosures makes the disclosures more easily accessible to market participants by enabling aggregation, comparison, filtering and other analysis of the tagged disclosures.

Applicability to Foreign Private Issuers

Form 20-F

The proposed rules amend Form 20-F to require that FPIs provide cybersecurity disclosures in their annual reports filed on Form 20-F. The proposed rules are consistent with the disclosures required to be made by domestic issuers in their annual reports, although since FPIs are not subject to SEC rules for proxy or information statement filings, no proxy statement disclosures are required for FPIs.

Canadian FPIs who use the SEC’s multijurisdictional disclosure system (MJDS) are excluded from the scope of the proposed rules.

Form 6-K

Unlike domestic companies, FPIs are not required to file Current Reports on Form 8-K. Instead, they are required to furnish on Form 6-K copies of all information that the FPI (i) makes or is required to make public under the laws of its jurisdiction of incorporation or domicile, (ii) files or is required to file under the rules of any stock exchange (where such information is made public by the stock exchange), or (iii) otherwise distributes or is required to distribute to its security holders. The proposed rules amend Form 6-K by adding “cybersecurity incidents” as a reporting topic, meaning that the information required to be furnished on Form 6-K includes information which is material with respect to the company and its subsidiaries concerning cybersecurity incidents.

In its proposing release, the SEC stated that, as with the proposed Item 1.05 of Form 8-K for domestic companies, the proposed change to Form 6-K is intended to provide timely cybersecurity incident disclosure in a manner that is consistent with the general purpose and use of Form 6-K. Furthermore, with respect to incident disclosure, where an FPI has previously reported an incident on Form 6-K, the proposed amendments would require annual reports on Form 20-F to contain an update regarding such incidents, consistent with proposed Item 106 of Regulation S-K.

In contrast to the position for domestic companies, a four-business day reporting deadline was not included in the proposed amendments to Form 6-K. A Form 6-K must be furnished to the SEC promptly after the relevant material included in the Form 6-K is published (which, as a matter of best practice, is typically the same business day that the company publishes the information in satisfaction of a local law or stock exchange requirement).

The failure to make a timely Form 6-K disclosure does not result in the loss of eligibility to use Form F-3.

What Should Companies Do Now?

Prepare for Incident Reporting

One of the most obvious impacts of the proposed rules is the four-business day reporting deadline, which is a central part of the SEC’s approach to requiring more timely disclosure of cybersecurity incidents. It is certain that some form of the proposed Form 8-K reporting of material cybersecurity incidents will be included in the final rules, so companies should begin to prepare now.

Companies should ensure that their disclosure committees are directly connected to those individuals in the company who are responsible for evaluating and reporting of the occurrence of a cybersecurity incident. Companies should review the escalation procedures within their information security teams that relate to identifying when cybersecurity incidents occur in order to ensure that there is a reporting line to the disclosure committee (or those responsible for making disclosure and materiality assessments). The disclosure committee should maintain these lines of communication after the occurrence of a cybersecurity incident as the scope and severity of an incident is uncovered so that timely materiality assessments can be made. Companies should advise their information security teams of the importance to track connected minor cybersecurity incidents so an assessment can be made as to whether any periodic disclosure requirement is triggered if individually immaterial cybersecurity incidents becoming material in the aggregate.

Companies should also be mindful that the four-business day disclosure deadline does not take into consideration any other provisions of law (such as state or local data protection laws) that may permit or mandate a delay in notifying the public about material cybersecurity incidents. Therefore, companies should consider how the timing of potential SEC-required disclosures may impact their existing regulatory or contractual obligations.

Update Cybersecurity Policies and Procedures and Related Disclosures

Given the high level of specificity in the disclosure rules, companies and boards should consider reviewing their cybersecurity policies and procedures. Although, the final rules are not in place, given the statements by a majority of the Commission, including the Chair of the SEC, we should expect final rules that adopt many of the proposed disclosure requirements related to cybersecurity risk management policies and procedures.

Although the proposed rules do not mandate policy and governance changes, companies should consider how “gaps” in disclosures relative to the new rules will be perceived by investors. Additionally, the SEC could adopt a final rule that require companies to affirmatively identify gaps in cybersecurity policies relative to the new rules and explain the reason for those gaps.

Cybersecurity Expertise on the Board

The proposed rules requires companies to identify directors that have cybersecurity expertise, as well as the nature of the expertise. While the new rules do not mandate cybersecurity expertise on the board, and companies that do not have directors with cybersecurity expertise are not required to affirmatively disclose such lack of expertise, companies may nonetheless feel pressure to ensure that their board includes directors with cybersecurity expertise. Recruiting directors with cybersecurity expertise has become very challenging as these candidates are highly sought after by many public companies. For those companies whose cybersecurity risk profile may be lower than tech or consumer-facing companies or those companies that handle sensitive personal data, it remains to be seen whether this new disclosure requirement will place pressure on these companies to also add cybersecurity expertise to the board.

Submitting Comments to the SEC

The SEC is seeking comments on the proposed rules from interested parties.

The SEC posed various specific questions for commenters to consider in their responses, some of which are presented below:

  • Could any of the proposed disclosure obligations (or the timing of those required disclosures) have the unintentional effect of putting registrants at additional risk of future cybersecurity incidents or undermine their cybersecurity defenses? If so, how should this be addressed and balanced with the needs of investors?
  • Would the proposed disclosure obligations conflict with a registrant’s other obligations under federal or state law? If so, what mechanisms could the SEC use to ensure registrants can comply with other laws and regulations while providing timely disclosure to investors?
  • Should registrants be permitted to delay current reporting of material cybersecurity incidents if the Attorney General requests such delay? If law enforcement request that a company delay public disclosure of a cybersecurity incident, how should this be reconciled with SEC disclosure considerations?
  • Registrants may be required to make a materiality determination in relation to cybersecurity incidents affecting information resources used but not owned by the registrant. Do registrants have the ability to obtain sufficient information from third parties and should registrants be provided with a safe harbor when they rely on information provided by a third party?
  • If there are material updates to disclosure of cybersecurity incidents, is it sufficient for a registrant to disclose such updates in a subsequent periodic report, or should the relevant Current Report on Form 8-K or Form 6-K be amended earlier than the due date for the next periodic report?
  • Are the proposed definitions of “cybersecurity incident,” “cybersecurity threat,” and “information systems” appropriate? The term “cybersecurity” itself is not defined in the proposed rules – should it be? The SEC posited a definition of cybersecurity as “any action, step, or measure to detect, prevent, deter, mitigate, or address any cybersecurity threat or any potential cybersecurity threat,” and sought comment from interested parties on whether a definition would be helpful.
  • Should the proposed rules apply for FPIs? Are there unique considerations with respect to FPIs in the context of cybersecurity disclosures?

We would be pleased to assist you in preparing of a comment letter in response to these questions or other portions of the proposed rules. Please reach out to your Shearman & Sterling contacts for assistance.

Special thanks to visiting attorney Pedro de Elizalde and associate Jessica Kelly (both Capital Markets) who contributed to this publication.

Footnotes

[1] See TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976), Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988), and Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011).

Authors and Contributors

Richard Alsop

Partner

Capital Markets

+1 212 848 7333

+1 212 848 7333

New York

Lona Nallengara

Partner

Capital Markets

+1 212 848 8414

+1 212 848 8414

New York

Antonia E. Stolper

Of Counsel

Capital Markets

+1 212 848 5009

+1 212 848 5009

New York

Jonathan A. Lewis

Counsel

Capital Markets

+55 11 3702 2246

+55 11 3702 2246

São Paulo

Alan Bickerstaff

Partner

Emerging Growth

+1 512 647 1903

+1 512 647 1903

Austin

Roberta B. Cherman

Partner

Capital Markets

+55 11 3702 2245

+55 11 3702 2245

São Paulo

Cassandra Cuellar

Partner

Emerging Growth

+1 512 647 1930

+1 512 647 1930

Austin

Jonathan (JD) DeSantis

Partner

Leveraged Finance

+1 212 848 5085

+1 212 848 5085

New York

Marwan Elaraby

Partner

Capital Markets

+971 4 249 2123

+971 4 249 2123

+971 2 410 8123

+971 2 410 8123

+1 212 848 4947

+1 212 848 4947

Dubai

Marwa Elborai

Partner

Finance

+44 20 7655 5524

+44 20 7655 5524

London

Christopher Forrester

Partner

Capital Markets

+1 650 838 3772

+1 650 838 3772

Menlo Park

Carmelo Gordian

Partner

Emerging Growth

+1 512 647 1902

+1 512 647 1902

Austin

Harald Halbhuber

Partner

Capital Markets

+1 212 848 7150

+1 212 848 7150

New York

Masahisa Ikeda

Partner

Capital Markets

+81 3 5251 1601

+81 3 5251 1601

+1 212 848 5378

+1 212 848 5378

Tokyo

Trevor Ingram

Partner

Capital Markets

+44 20 7655 5630

+44 20 7655 5630

London

Maria Marulanda Larsen

Counsel

Capital Markets

+1 212 848 5385

+1 212 848 5385

New York

Kyungwon (Won) Lee

Partner

Capital Markets

+852 2978 8078

+852 2978 8078

+1 212 848 8078

+1 212 848 8078

Hong Kong

Jason Lehner

Partner

Capital Markets

+1 416 360 2974

+1 416 360 2974

+1 212 848 7974

+1 212 848 7974

Toronto

Emily Leitch

Partner

Capital Markets

+1 713 354 4845

+1 713 354 4845

Houston

Hervé Letréguilly

Partner

Capital Markets

+33 1 53 89 71 30

+33 1 53 89 71 30

Paris

Grissel Mercado

Partner

Capital Markets

+1 212 848 8081

+1 212 848 8081

New York

Toshiro M. Mochizuki

Partner

Capital Markets

+81 3 5251 0210

+81 3 5251 0210

Tokyo

Kana Morimura

Partner

Litigation

+81 3 5251 0211

+81 3 5251 0211

Tokyo

Robert Mundheim

Of Counsel

Capital Markets

+1 212 848 7738

+1 212 848 7738

New York

Ilir Mujalovic

Partner

Capital Markets

+1 212 848 5313

+1 212 848 5313

New York

Bill Nelson

Partner

Capital Markets

+1 713 354 4880

+1 713 354 4880

Houston

Manuel A. Orillac

Partner

Capital Markets

+1 212 848 5351

+1 212 848 5351

New York

Andrew Schleider

Partner

Capital Markets

+65 6230 3882

+65 6230 3882

Singapore

Pawel J. Szaja

Partner

Capital Markets

+971 4249 2113

+971 4249 2113

+44 20 7655 5013

+44 20 7655 5013

Dubai

Wanda Woo

Partner

Capital Markets

+852 2978 8007

+852 2978 8007

Hong Kong