SEC Proposes Cybersecurity Incident and Governance Disclosure Obligations for Public Companies
- Less than a month after the U.S. Securities and Exchange Commission (SEC) proposed substantial new cybersecurity requirements for investment advisers and registered investment companies, the commission unveiled a new slate of proposed cybersecurity disclosure rules for public companies.
- If adopted, the proposed rules would require each public company to report material cybersecurity incidents within four business days after determining that it has experienced such incidents, provide periodic updates of previously reported cybersecurity incidents, describe its cybersecurity risk management policies and procedures, disclose its cybersecurity governance practices and disclose cybersecurity expertise on the board of directors.
- The proposed rules seek to have public companies disclose cybersecurity incidents and their risk management, strategy and governance practices in a consistent and comparable manner.
Less than a month after the U.S. Securities and Exchange Commission (SEC) proposed substantial new cybersecurity requirements for investment advisers and registered investment companies, the commission unveiled a new slate of proposed cybersecurity disclosure rules for public companies. The proposed rules, if adopted, would require each public company to: 1) report material cybersecurity incidents within four business days after determining that it has experienced such incidents; 2) provide periodic updates of previously reported cybersecurity incidents; 3) describe its cybersecurity risk management policies and procedures; 4) disclose its cybersecurity governance practices; and 5) disclose cybersecurity expertise on the board of directors.1
SEC Chair Gary Gensler previewed the possibility of such proposed rules during his January 2022 speech at the Northwestern Pritzker School of Law's Annual Securities Regulation Institute. The proposed rules seek to have public companies disclose cybersecurity incidents and their risk management, strategy and governance practices in a consistent and comparable manner. The proposed rules, however, may create significant litigation and enforcement risks for public companies and could potentially expose them to greater cybersecurity risks in certain situations. Furthermore, the contemplated ongoing reporting obligations and proposal that companies consider incidents at third-party providers as part of their assessment would place significant burdens on public companies. Additionally, the proposed rules are the latest example of the SEC using its rulemaking and enforcement authority to dictate corporate governance and board composition at public companies.
This Holland & Knight alert provides a summary of the new proposed rules and offers some key takeaways.
Proposed Cybersecurity Requirements for Public Companies
A. Current Reporting about Material Cybersecurity Incidents
The SEC proposed to amend Form 8-K to require public companies to disclose, within four business days after the company determines that it has experienced a material "cybersecurity incident," certain information about the incident. Under the proposed Item 1.05 to Form 8-K, a "cyber incident" is defined as "an unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." The SEC stated that "cybersecurity incident" should be "should be construed broadly…" and may include an accidental exposure of data.
Although the SEC does not expect a public company to disclose technical information about its cybersecurity systems, potential vulnerabilities or response to a cybersecurity incident, disclosure of the following information for each material cybersecurity incident would be required:
- when the incident was discovered and whether it is ongoing
- a brief description of the nature and scope of the incident
- whether any data was stolen, altered, accessed or used for any other unauthorized purpose
- the effect of the incident on the company's operations
- whether the company has remediated or is currently remediating the incident2
Notably, the triggering event for disclosure is not the date of the cybersecurity incident. Rather, disclosure would be within four days after the company "determines that a cybersecurity incident it has experienced is material."3 Notwithstanding allowing the exercise of discretion (which effectively codifies the longstanding concept of "ripeness" in determining materiality), the SEC expects public companies "to be diligent in making a materiality determination."4
Materiality is to be determined under longstanding precedent of whether there is a substantial likelihood that a reasonable shareholder would consider the information as important or as having significantly altered the total mix of information made available.5 The SEC acknowledged that this materiality analysis "is not a mechanical exercise" but rather would require the company to "thoroughly and objectively evaluate the total mix of information…"6
The SEC proposes to make the cybersecurity incident reporting on Form 8-K eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act for failure to timely file.7 Importantly, however, this limited safe harbor does not exempt companies from antifraud liability – or other liability under other provisions of the federal securities laws – for representations made in a Form 8-K concerning the cybersecurity incident.8
B. Cybersecurity Incident Disclosure in Periodic Reports
The SEC proposed to add new Item 106 to Regulation S-K and updates to Forms 10-Q and 10-K that will require public companies to provide periodic updates about previously disclosed cybersecurity incidents when a material change, addition or update has occurred. The SEC justifies the ongoing reporting requirement to "balance the need for prompt and timely disclosure regarding material cybersecurity incidents with the fact that a registrant may not have complete information about a material cybersecurity incident at the time it determines the incident to be material."9 The SEC's proposed rule does not require that public companies file a separate Form 8-K for such updates; rather, this information would be disclosed in the next filed quarterly or annual report.10
Similarly, if a public company discovered that a series of previously undisclosed, immaterial cybersecurity incidents had become material in the aggregate, the company will need to disclose such incidents in its next filed periodic report. Information to be provided under the SEC's proposed Item 106(d)(2) would be similar to the proposed Form 8-K Item 1.05 information detailed above.
In both instances, the SEC provided a list of information public companies should include under proposed Instructions to Item 106(c), such as the material impact on the company's operations and whether the company has remediated the incident.
C. Periodic Disclosures of Cybersecurity Risk Management Policies and Procedures
The SEC also proposed Item 106(b) of Regulation S-K, which would require significant disclosure about a public company's policies and procedures to identify and manage cybersecurity risks. Specifically, the proposed rule would require public companies to disclose "in such detail as necessary to adequately describe the registrant's policies and procedures, if it has any, for the identification and management of risks from cybersecurity threats … " Items "that would require disclosure" would include11:
- if the company has a cybersecurity risk assessment program and, if so, a description of the program
- whether the company engages consultants and other third parties in connection with any cybersecurity risk assessment program
- the company's policies and procedures to oversee and identify the cybersecurity risks associated with the use of any third-party service provider, including whether and how cybersecurity considerations impact selection and oversight of these providers
- activities the company undertakes to prevent, detect and minimize effects of cybersecurity incidents
- whether the company has business continuity, contingency and recovery plans in the event of a cybersecurity incident
- previous cybersecurity incidents that have informed changes in the company's cybersecurity governance, policies and procedures, and technologies
- cybersecurity risks and incidents that have affected or are reasonably likely to affect the company's results of operations or financial condition and, if so, how
- how cybersecurity risks are considered as part of the company's business strategy, financial planning and capital allocation
D. Governance Disclosures Regarding Cybersecurity
The SEC also proposed two additional items under Regulation S-K, which would require public companies to make three governance-related disclosures concerning: 1) board oversight of cybersecurity risks and associated processes; 2) management's role in assessing and managing cybersecurity risks and implementing the company's cybersecurity policies and procedures; and 3) cybersecurity expertise of members of the board, if any.
With respect to the board's oversight of cybersecurity risks, disclosure under the proposed Item 106(c)(1) of Regulation S-K includes the following nonexclusive items:
- whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks
- the process by which the board is informed about cybersecurity risks
- the frequency with which the board is informed about cybersecurity risks
- whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight
With respect to management's role in assessing and managing cybersecurity risks and implementing a company's cybersecurity policies and procedures, disclosure under proposed Item 106(c)(2) of Regulation S-K "should include" the following nonexclusive items:
- whether certain management positions or committees are responsible for managing and measuring cybersecurity risks
- whether the company has a designated chief information officer, security officer or someone in a comparable position
- the processes by which such person or committee is informed about and monitors prevention, mitigation, detection and remediation of cybersecurity incidents
- whether and how frequently such person or committee reports to the board of directors or a committee of the board on cybersecurity risks
Finally, the SEC proposes revisions to Item 407 of Regulation S-K to require public companies to: 1) disclose the cybersecurity expertise of its board members, if any; 2) name the directors; and 3) detail their experience. Although the SEC declined to define "cybersecurity expertise," it offered an illustrative, nonexclusive list of factors to help assess such expertise.
Importantly, the SEC clarified that any person identified to have cybersecurity expertise is not an expert for any purposes of Section 11 of the Securities Act and does not impose any additional duties, obligations or liability on this individual.
- These Rules Create Significant Litigation and Strategic Risks: The cybersecurity incident disclosure obligation would require that public companies disclose specific details concerning the cybersecurity incident, scope of the incident, data accessed or stolen, and effect of the incident on company operations. By requiring this disclosure four days after determination of a material cybersecurity incident, the Form 8-K filing could precede data breach notices to state attorneys general, individuals and potentially impacted business partners. Further, providing such details prior to the completion of a forensic investigation and data-mining efforts is likely to expose companies to litigation before it has a full picture of the impact of the cybersecurity incident, as well as potentially undermine attorney-client and work product privilege associated with investigating the cybersecurity incident.
Additionally, both the cybersecurity incident disclosures (including its associated periodic reporting) and disclosure of the company's cybersecurity risk management policies and procedures would create significant risks that the SEC's Division of Enforcement and private litigants will seize on the company's representations as potential bases for liability under the antifraud provisions and otherwise after an incident. As demonstrated in the First American Financial Corporation action last year, the SEC's Division of Enforcement has already shown a willingness to utilize controls and procedures provisions of federal securities laws to hold companies liable in connection with cybersecurity incidents. The additional line item disclosure requirements of proposed Items 106 and 407 of Regulation S-K undoubtedly will present risks that the Division of Enforcement will utilize such provisions to penalize companies after they have been the victims of a cybersecurity incident. This is particularly the case in the short term, where interpretative guidance may be limited and SEC policy regarding enforcement of the new rules may not be fully understood.
- These Rules May Create Significant Cybersecurity Risks: Although the SEC claims that these disclosure rules do not seek technical information, the proposed rules would require disclosure of substantial details concerning cybersecurity incidents and public companies' cybersecurity risk management policies and procedures. Although the SEC appears to believe that disclosures regarding public companies' cybersecurity programs could lead to improvement of their policies and procedures, such detailed disclosure could have the unintended result of making them more vulnerable to cyberattacks. For example, the public disclosure of detailed information concerning a cybersecurity incident prior to full containment and remediation could provide opportunities for cybercriminals to further target victim companies and their affected customers, employees or other constituents. Additionally, cybercriminals could potentially utilize a company's disclosures concerning its cybersecurity policies and procedures, such as the activities that a public company takes to detect cybersecurity incidents, to identify vulnerabilities and to design strategic cyberattacks against the company.
Additionally, in many instances, this will force public companies to engage in ongoing disclosure about incidents while in the midst of incident response and remediation. The unintended consequences of such disclosures on these efforts could be significant. For example, in the case of a ransomware attack, such disclosures could impact a company's ransomware negotiation position and strategy.
- Once Again, Risks and Incidents at Third Parties Could Create Disclosure Obligations: The SEC highlighted companies' "increasing reliance on third party service providers for information technology services…" as one of the reasons cybersecurity risks have increased.12 As with the proposed rule for investment advisers and companies, the SEC's proposed definition of information systems includes "information resources owned or used by the registrant…"13 In the event of a cybersecurity incident at a third-party vendor, public companies may have difficulty obtaining timely information to make a materiality determination for information systems they do not own or to provide sufficient details that would be required under the proposed rules.
As a result, public companies (and companies considering becoming publicly traded) may need to reassess their cybersecurity and data privacy risks associated with their vendor management programs. This may include conducting due diligence reviews, conducting cybersecurity audits, including contractual provisions to ensure timely and detailed cyber incident reporting, or reconsidering the mix of internal and outsourced information technology systems.
- Additional Burden of Ongoing Reporting: Public companies would be subject to ongoing reporting obligations if the SEC adopts the proposed rules. The ongoing reporting requirements for prior cybersecurity disclosures will force public companies to spend significant time and resources implementing protocols that allow for analysis and assessment of ongoing and prior cyber incidents. Given that a materiality assessment is fluid, this would require public companies to engage in frequent assessments of prior cyber incidents, including those previously deemed not material, to assess possible disclosure obligations.
Furthermore, the ongoing reporting requirement would create an ancillary obligation for public companies to repeatedly assess their prior incident disclosures. Although companies could potentially use the ongoing update requirement as a mechanism for correcting prior disclosures, the SEC indicated that prior Forms 8-K concerning cybersecurity disclosures could be deemed false or misleading unless corrected.
- No Delay Reporting Safe Harbor: Most state laws permit companies to delay data breach notices when law enforcement determines that such notices will impede an investigation. The SEC's proposed rules include no such exception, instead stating that "[o]n balance, it is our current view that the importance of timely disclosure of cybersecurity incidents for investors would justify not providing for a reporting delay."14 The SEC acknowledged that the lack of delay notice can create inconsistent disclosure requirements for public companies at the state and federal level.15 Although many public companies already deal with such legal differences between state and federal disclosure laws, the lack of a safe harbor that primarily aims to aid law enforcement in identifying and prosecuting the criminal actors appears at odds with the government's broader cybersecurity goals.
- Difficulties Fulfilling Board Seats with Cybersecurity Expertise: Currently, there is a substantial talent shortage of cybersecurity professionals. As a result, individuals who would be qualified to become board members and have cybersecurity expertise are likely short in supply. Nevertheless, by requiring the disclosure of cybersecurity expertise of board members, many companies may attempt to fill a board seat with someone with such cybersecurity expertise. Smaller public companies may find it difficult to attract sufficiently qualified individuals and find themselves at a comparative disadvantage to larger companies that could provide better incentives to those individuals. The need to find board members with cyber expertise also may compete with other board composition requirements faced by public companies.
- Governance Insight: While not an express purpose of the proposed rules, there is little doubt that they reflect the SEC's desire to influence corporate governance at public companies. As SEC Commissioner Hester M. Pierce identified in her dissenting statement, the proposed rules will likely affect the composition of boards of directors and management teams and result in substantive changes to management cybersecurity policies and procedures.16 The proposed rules will also likely influence public companies to adapt their cyber risk management policies so that they will be viewed favorably in light of the specific disclosure requirements. This is not the first time that the Congress or the SEC has used disclosure obligations to dictate substantive changes in corporate management.17 As noted above, however, the proposed rules are likely to have pervasive and unintended effects, such as creating tension between disclosure of cyberattacks and preserving law enforcement's ability to investigate and pursue wrongdoing. Regardless, the proposed rules will require public companies to devote increased time and financial resources to cyber risk management, governance and oversight – if nothing else, "to avoid appearing as if they do not take cybersecurity as seriously as other companies."18
The SEC's proposed rules are open for comment until 30 days after publication in the federal registrar or May 9, 2022 (whichever is later). The SEC will then assess public comments and vote on a final rule.
For more information about the cybersecurity requirements for public companies and other registrants, contact the authors. In addition, as the SEC continues to develop cybersecurity requirements for regulated entities, you can receive updates by following Holland & Knight's SECond Opinions and Cybersecurity and Privacy blogs.
1 For purposes of this alert, all references are to the U.S. issuer rules. However, the SEC's rule proposal also applies to foreign private issuers and includes parallel rule proposals for those entities. For example, the proposed Form 8-K rule would also apply to foreign private issuers based on similar proposals in connection with Form 6-K.
2 As contemplated by the rule, public companies will need to assess potential cybersecurity incidents not only on the systems that they own, but also on information resources "used by" the company, including cloud-based storage devices and virtual infrastructure.
3 Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Proposed Rule ("Proposed Rule"), at 22. Please see our prior analysis on the proposed cybersecurity rules for investment advisers and investment companies for details on the significant differences in incident reporting timelines.
4 Proposed Instruction 1 to Item 1.05 states that "a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident." Proposed Rule, at 22; Proposed Instruction 1 to Proposed Item 1.05 of Form 8-K.
5 See, e.g., Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976).
6 Proposed Rule, at 23.
7 Id. at 27; Proposed Exchange Act Rules 13a-11(c) and 15d-11(c).
8 Notably, a failure to timely file an Item 1.05 Form 8-K would not affect a public company's ability to register securities on Form S-3.
9 Id. at 32.
10 However, the SEC did note that a public company may need to file an amended Form 8-K to correct a prior disclosure that becomes inaccurate or materially misleading in light of subsequent developments. Id. at 33, FN 69.
11 It is unclear if the actual proposed rule includes a mandated list of disclosure items. Unlike the body of the proposed rule release, which notes that proposed Item 106(b) "would require disclosure," the proposed rule itself notes that a discussion "should include." We expect that the comments and responses thereto will bring greater clarity on whether the list outlined above is illustrative or mandatory.
12 Id., at 7; see also Id. at FN 10.
13 Proposed Item 106(a)(3).
14 Id. at 25.
15 "To the extent that proposed Item 1.05 of Form 8-K would require disclosure in a situation in which a state law delay provision would excuse notification, there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law." Id. at 26.
17 Other examples include relatively low reporting thresholds for environmental proceedings to encourage environmental law compliance, Compensation Disclosure and Analysis to influence compensation decisions, changes to audit committees and the auditor relationship caused by Sarbanes-Oxley required disclosures and changes to compensation committee activities caused by Dodd-Frank.
18 See FN 16.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.