US SEC proposes new rule on cybersecurity disclosures

On March 9, 2022, the US Securities and Exchange Commission (“SEC”) proposed rules for public companies and foreign private issuers (FPIs) to require rapid disclosure of material cybersecurity incidents as well as periodic disclosure of cybersecurity risk management and policies and procedures (hereinafter the “SEC’s Proposed Rule”).  The SEC’s Proposed Rule reflects the SEC’s belief that investors should be made aware of companies’ efforts to combat and remediate cybersecurity incidents, which in some instances can have significant consequences to a company’s operations, in order to make well-informed investment decisions. 

The SEC’s Proposed Rule expands on the 2011 CF Disclosure Guidance and the 2018 SEC Cybersecurity Guidance, which addressed the importance of cybersecurity policies and procedures and disclosures of material cybersecurity incidents.  In the 2018 Guidance, the SEC wrote, “…we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.”

According to the SEC’s Proposed Rule, however, cybersecurity disclosure practices have been inconsistent.  For example, the SEC has observed cybersecurity incidents being reported in the media and not in company filings.  Further, the SEC stated that even where companies decide to disclose in SEC filings, those disclosures vary greatly, with some companies providing a thorough materiality analysis, including the estimated cost and remedial measures being taken, while others disclose little more than the fact that a cybersecurity incident occurred. 

To ensure standardization on cybersecurity disclosures, the SEC’s Proposed Rule would require public companies to:

1. report any cybersecurity incidents on Form 8-K (public companies) or Form 6-K (FPIs) within four business days of determining that the incident is material
2. provide material updates on any previously reported cybersecurity incidents in the Form 10-Q/10-K or Form 20-F
3. provide periodic disclosures about cybersecurity policies and procedures on Form 10-K and Form 20-F
4. identify management’s role in implementing cybersecurity policies and procedures on Form 10-K and Form 20-F
5. describe the board of directors’ expertise in cybersecurity, if any, and the board’s oversight of the cyber risks in a proxy or information statement when action is to be taken with respect to the election of directors, and in the Form 10-K (for FPIs this would only be relevant in Form 20-F)

Proposed Amendments to Form 8-K¹

The SEC’s Proposed Rule requires filing a Form 8-K within four business days after determining that a cybersecurity incident was material.²  The disclosure on the Form 8-K would need to address:

1. When the cybersecurity incident occurred and whether it is ongoing
2. A brief description of the nature and scope of the cybersecurity incident
3. Whether any data was taken, manipulated or used for any unauthorized purpose
4. The impact of the cybersecurity incident on the company’s operations
5. A description of any remedial measures that have been taken

The threshold for filing a Form 8-K is whether the cybersecurity incident is “material.” The SEC’s Proposed Rule does not change the approach for analyzing materiality described in the SEC’s prior cybersecurity disclosure guidance. The concept of materiality remains whether the cybersecurity incident has a substantial likelihood that a reasonable investor would consider the information important in making an investment decision.  The SEC’s Proposed Rule recommends that registrants “objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material.”³ 

The SEC explicitly recognized that companies may need time to determine whether a cybersecurity incident is material.  Thus, the Form 8-K filing requirement is four business days after making that materiality determination, not necessarily four business days after learning of the incident.  However, the SEC expects management to make a materiality determination as soon as reasonably practicable.  That triggering event may happen before a company has completed its investigation into the matter.  The SEC consciously chose not to propose permitting a company to delay disclosure when there is an ongoing law enforcement investigation, even though the SEC recognized that a delay may help law enforcement apprehend the bad actor.  The SEC believed that allowing such a delay would undermine the purpose of the rule, which supports the timely disclosure of material cybersecurity incidents to investors. The rule even goes so far as to note that disclosure would be required even where a company was relying on a law enforcement delay available under state breach notification law. 

In addition, once a company discloses a cybersecurity incident on Form 8-K, the SEC’s Proposed Rule would require disclosure of any material changes, such as on the scope of the incident, the potential impact on the company’s operations, remediation efforts, or changes to the company’s policies and procedures, in the subsequent Form 10-Q or Form 10-K. 

Further, the SEC’s Proposed Rule recognizes that there may be a series of immaterial cybersecurity incidents that when taken in the aggregate may become material. In that case, disclosure would be required in the Form 10-Q or Form 10-K .

Proposed Amendments to Periodic Reports

The SEC’s Proposed Rule suggests amendments to periodic reports, such as Forms 10-Q and 10-K filings, to require more consistent and informative disclosure of company’s cybersecurity risk management, strategy and governance.  For example, companies would be required to provide an overview of relevant cybersecurity policies and procedures, including descriptions of how and when the company assesses its cybersecurity risk profile, how the company responds to cybersecurity events, and how the company manages cybersecurity risk related to its third party service providers. 

In addition, the SEC’s Proposed Rule requires descriptions of board oversight of the cybersecurity risk program, including the process by which the board is informed of cyber risks, and a description of which management positions or committees are responsible for managing cybersecurity risks.  The SEC also proposes having companies disclose the board’s cybersecurity expertise.  The proposal, however, does not define what constitutes “cybersecurity expertise.”

Key Takeaways

There is a 60-day comment period following the publication of the SEC’s Proposed Rule in the Federal Register.  While many companies have been disclosing cybersecurity risks in their public filings, SEC’s Proposed Rule – if adopted –  will standardize the types of information to be provided and impose a specific deadline for when material incidents must be reported.  The requirement to disclose cybersecurity expertise may also lead to a recalibration of board composition, with an increased focus on having a specialized “cybersecurity” individual on the board.  

While the SEC’s Proposed Rule still largely leaves the materiality analysis to the company, the proposing release strongly suggests that the SEC is skeptical about how companies have been doing their materiality analysis of cybersecurity incidents thus far.  Thus, the SEC may more frequently engage in second-guessing companies’ materiality analysis.  This underscores the need for companies to thoughtfully document their decision making processes about whether and when to disclose a cybersecurity incident.    

Regardless of the status of the SEC’s final rule, companies cannot ignore their cybersecurity risks.  Companies should be evaluating their cybersecurity practices and capabilities from a risk-based perspective and ensuring employees are prepared to respond to a cybersecurity incident.⁴  Public companies and FPIs should evaluate their cybersecurity disclosures and determine whether they need to be providing more information about their cybersecurity risk profile, risk management practices and oversight, and cybersecurity incidents so that investors can be armed with sufficient information to evaluate their investment decisions.