Publication
Proposed changes to Alberta’s Freedom of Information and Protection of Privacy Act
Alberta is set to significantly change the privacy landscape for the public sector for the first time in 20 years.
United States | Publication | March 2022
On March 9, 2022, the US Securities and Exchange Commission (“SEC”) proposed rules for public companies and foreign private issuers (FPIs) to require rapid disclosure of material cybersecurity incidents as well as periodic disclosure of cybersecurity risk management and policies and procedures (hereinafter the “SEC’s Proposed Rule”). The SEC’s Proposed Rule reflects the SEC’s belief that investors should be made aware of companies’ efforts to combat and remediate cybersecurity incidents, which in some instances can have significant consequences to a company’s operations, in order to make well-informed investment decisions.
The SEC’s Proposed Rule expands on the 2011 CF Disclosure Guidance and the 2018 SEC Cybersecurity Guidance, which addressed the importance of cybersecurity policies and procedures and disclosures of material cybersecurity incidents. In the 2018 Guidance, the SEC wrote, “…we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.”
According to the SEC’s Proposed Rule, however, cybersecurity disclosure practices have been inconsistent. For example, the SEC has observed cybersecurity incidents being reported in the media and not in company filings. Further, the SEC stated that even where companies decide to disclose in SEC filings, those disclosures vary greatly, with some companies providing a thorough materiality analysis, including the estimated cost and remedial measures being taken, while others disclose little more than the fact that a cybersecurity incident occurred.
To ensure standardization on cybersecurity disclosures, the SEC’s Proposed Rule would require public companies to:
The SEC’s Proposed Rule requires filing a Form 8-K within four business days after determining that a cybersecurity incident was material.2 The disclosure on the Form 8-K would need to address:
The threshold for filing a Form 8-K is whether the cybersecurity incident is “material.” The SEC’s Proposed Rule does not change the approach for analyzing materiality described in the SEC’s prior cybersecurity disclosure guidance. The concept of materiality remains whether the cybersecurity incident has a substantial likelihood that a reasonable investor would consider the information important in making an investment decision. The SEC’s Proposed Rule recommends that registrants “objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material.”3
The SEC explicitly recognized that companies may need time to determine whether a cybersecurity incident is material. Thus, the Form 8-K filing requirement is four business days after making that materiality determination, not necessarily four business days after learning of the incident. However, the SEC expects management to make a materiality determination as soon as reasonably practicable. That triggering event may happen before a company has completed its investigation into the matter. The SEC consciously chose not to propose permitting a company to delay disclosure when there is an ongoing law enforcement investigation, even though the SEC recognized that a delay may help law enforcement apprehend the bad actor. The SEC believed that allowing such a delay would undermine the purpose of the rule, which supports the timely disclosure of material cybersecurity incidents to investors. The rule even goes so far as to note that disclosure would be required even where a company was relying on a law enforcement delay available under state breach notification law.
In addition, once a company discloses a cybersecurity incident on Form 8-K, the SEC’s Proposed Rule would require disclosure of any material changes, such as on the scope of the incident, the potential impact on the company’s operations, remediation efforts, or changes to the company’s policies and procedures, in the subsequent Form 10-Q or Form 10-K.
Further, the SEC’s Proposed Rule recognizes that there may be a series of immaterial cybersecurity incidents that when taken in the aggregate may become material. In that case, disclosure would be required in the Form 10-Q or Form 10-K .
The SEC’s Proposed Rule suggests amendments to periodic reports, such as Forms 10-Q and 10-K filings, to require more consistent and informative disclosure of company’s cybersecurity risk management, strategy and governance. For example, companies would be required to provide an overview of relevant cybersecurity policies and procedures, including descriptions of how and when the company assesses its cybersecurity risk profile, how the company responds to cybersecurity events, and how the company manages cybersecurity risk related to its third party service providers.
In addition, the SEC’s Proposed Rule requires descriptions of board oversight of the cybersecurity risk program, including the process by which the board is informed of cyber risks, and a description of which management positions or committees are responsible for managing cybersecurity risks. The SEC also proposes having companies disclose the board’s cybersecurity expertise. The proposal, however, does not define what constitutes “cybersecurity expertise.”
There is a 60-day comment period following the publication of the SEC’s Proposed Rule in the Federal Register. While many companies have been disclosing cybersecurity risks in their public filings, SEC’s Proposed Rule – if adopted – will standardize the types of information to be provided and impose a specific deadline for when material incidents must be reported. The requirement to disclose cybersecurity expertise may also lead to a recalibration of board composition, with an increased focus on having a specialized “cybersecurity” individual on the board.
While the SEC’s Proposed Rule still largely leaves the materiality analysis to the company, the proposing release strongly suggests that the SEC is skeptical about how companies have been doing their materiality analysis of cybersecurity incidents thus far. Thus, the SEC may more frequently engage in second-guessing companies’ materiality analysis. This underscores the need for companies to thoughtfully document their decision making processes about whether and when to disclose a cybersecurity incident.
Regardless of the status of the SEC’s final rule, companies cannot ignore their cybersecurity risks. Companies should be evaluating their cybersecurity practices and capabilities from a risk-based perspective and ensuring employees are prepared to respond to a cybersecurity incident.4 Public companies and FPIs should evaluate their cybersecurity disclosures and determine whether they need to be providing more information about their cybersecurity risk profile, risk management practices and oversight, and cybersecurity incidents so that investors can be armed with sufficient information to evaluate their investment decisions.
Publication
Alberta is set to significantly change the privacy landscape for the public sector for the first time in 20 years.
Publication
On December 15, amendments to the Competition Act (Canada) (the Act) that were intended at least in part to target competitor property controls that restrict the use of commercial real estate – specifically exclusivity clauses and restrictive covenants – came into effect.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023