04/07/2022

SEC Proposes New Mandatory Cybersecurity Disclosures For Public Companies

The Securities and Exchange Commission (“SEC”) recently proposed rule changes applicable to public companies to enhance and standardize disclosures concerning cybersecurity risk management, strategy, governance, and cybersecurity incident reporting. The proposed rules would amend rules regarding current and periodic reporting requirements. These proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.

Current Reporting Requirements.

Within the proposed rules, the SEC notes its concern that material cybersecurity incidents are underreported, and that existing reporting may not be sufficiently timely. As a result, the SEC’s amendments would require current reporting on material cybersecurity incidents. The proposed rules would require registrants to file a Form 8-K within four business days of a registrant’s determination that the company has experienced a material cybersecurity incident. The SEC proposes to define the term “cybersecurity incident” as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.

The SEC proposes to amend Form 8-K by adding new Item 1.05, which would require a registrant to disclose the following information about a material cybersecurity incident, to the extent the information is known at the time of the Form 8-K filing:

• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data was stolen, altered, accessed or used for any other unauthorized purpose;
• The effect of the incident on the registrant’s operations; and
• Whether the registrant has remediated or is currently remediating the incident

The proposed rules would amend Regulation S-K, adding Item 106(d)(1) and (2), further requiring disclosures on Forms 10-Q and 10-K for (i) any material changes, additions or updates to the cybersecurity incidents previously disclosed on Form 8-K, and (ii) any series of previously undisclosed and individually immaterial cybersecurity incidents that have become material in aggregate. Similar to domestic registrants, these amendments would create disclosure triggers on Form 6-K for foreign private issuers.

Periodic Reporting Requirements.

Additionally, the SEC proposes to mandate certain Form 10-K disclosures concerning (i) a registrant’s cybersecurity risk management and strategy, (ii) cybersecurity governance, and (iii) a registrant’s board of director’s cybersecurity expertise.

Cybersecurity Management and Strategy

The SEC proposed Item 106(b) of Regulation S-K with the intent that investors would be provided with more consistent and informative disclosures regarding a registrant’s cybersecurity risk management and strategy. New Item 106(b) would require registrants to disclose policies and procedures, if any, to identify and manage cybersecurity risks and threats, including (i) operational risk, (ii) intellectual property theft, (iii) fraud, (iv) extortion, (v) harm to employees or customers, (vi) violation of privacy law or other litigation and legal risk, and (vii) reputation risk. Specifically, proposed Item 106(b) would require disclosure, as applicable, as to whether:

• The registrant has a cybersecurity risk assessment program and if so, provide a description of such program;
• The registrant engages assessors, consultants, auditors or other third parties in connection with any cybersecurity risk assessment program;
• The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider, including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
• The registrant undertakes activities to prevent, detect and minimize effects of cybersecurity incidents;
• The registrant has business continuity, contingency and recovery plans in the event of a cybersecurity incident;
• Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;
• Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and
• Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how.

Cybersecurity Governance

SEC’s proposed Item 106(c) of Regulation S-K would require disclosure of a registrant’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies. As it pertains to the board’s oversight of cybersecurity risk, disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following:

• Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
• The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
• Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight.

Proposed Item 106(c)(2) would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures and strategies. This description would include, but not be limited to, the following information:

• Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
• Whether the registrant has a designated chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart and the relevant expertise of any such persons;
• The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
• Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.

Director Cybersecurity Expertise

The SEC proposes to amend Item 407 of Regulation S-K by adding paragraph (j) to require disclosure about the cybersecurity expertise of members of the board of directors of the registrant, if any. If any member of the board has cybersecurity expertise, the registrant would have to disclose the name(s) of any such director(s) and provide such detail as necessary to fully describe the nature of the expertise.

“Cybersecurity expertise” is not defined in proposed Item 407(j), but the proposed Item would provide a non-exclusive list of criteria that a registrant should consider when determining whether a director has expertise in cybersecurity. That non-exclusive list includes:

• Whether a director has prior cybersecurity work experience;
• Whether a director has obtained a certification or degree relating to cybersecurity; and
• Whether a director has knowledge, skills, or other background in cybersecurity.

Key Takeaways.

While these proposed rules remain subject to comment until May 9, 2022, they do provide a general guideline on what the SEC expects from public companies. Generally, companies should revisit their current cybersecurity policies, and plan how they will disclose such policies and procedures to investors or see if these policies need to be enhanced. Then, in the event of cybersecurity incidents, companies need to be prepared to provide quick disclosures on Form 8-K because the SEC’s four-day reporting window does not provide companies with much flexibility. And finally, companies should consider the roles of management and directors in their cybersecurity governance.