The U.S. Securities and Exchange Commission (“SEC” or “Commission”) has published proposed rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies (hereinafter, the “Proposed Rules”).[1] The comment period on the Proposed Rules ended on May 9, 2022.[2] As we await further Commission action on this topic, we have provided below a summary of some of the more interesting aspects of the Proposed Rules in their current form.[3]
New Form 8-K Requirement Regarding Material Cybersecurity Incidents
The Commission proposes amending Form 8-K to add Item 1.05 to require companies to disclose information about a cybersecurity incident[4] within four business days after the company determines that it has experienced a material cybersecurity incident. The Commission is proposing that the trigger for Item 1.05 disclosure would be the date on which the company determines that a cybersecurity incident it has experienced is material, rather than the date of discovery of the incident.[5] Therefore, a company’s determination of whether the incident is “material” is going to play a significant role in assessing required disclosure. The SEC does not define a new standard for materiality in the Proposed Rules for cybersecurity incidents, but rather indicates that companies should assess “materiality” based on historical case law. While that precedent is familiar to securities law practitioners, it may be less so to information security professionals or other company officials that will be required to make such a materiality determination during the four-business day period following the incident. Early coordination with securities counsel is going to be vitally important if the Proposed Rules are finalized in their current form.
Under precedent case law, information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information available.[6] As noted in the SEC’s Proposed Rules, companies will “need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material. Even if the probability of an adverse consequence is relatively low, if the magnitude of the loss or liability is high, the incident may still be material.”[7] This type of analysis can be extremely difficult with cybersecurity incidents, as it is often the case that a company may know that its information systems were compromised in some manner, but have little initial insight into critical information, such as the exact systems or repositories that were impacted and the types of information that may have been accessed, acquired, or otherwise impacted.
The Proposed Rules provide a non-exhaustive list of the types of cybersecurity incidents that could trigger Form 8-K disclosure if determined to be “material.” For example, an unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network), whether from accidental exposure of data or from a deliberate attack, could be a disclosure incident according to the SEC.[8] The theft of confidential business information could trigger a notification obligation even if personal information is not impacted. Ransomware incidents may trigger notification obligations. And the “degradation, interruption, loss of control, damage to, or loss of operations of technology systems” could also trigger notice. To the extent there was any doubt, these examples make clear that the SEC is casting a wide net and is not concerned solely with incidents governed by traditional data breach notification laws that are triggered by incidents exposing sensitive personal information. In that respect, the Proposed Rules are similar to the computer-security incident notification rule recently issued by federal banking regulators.
A multitude of factors will come into play for purposes of the materiality analysis, such as a company’s industry, the sensitivity and volume of impacted information, the impact of system unavailability, how the exposure of trade secrets will impact the company’s business model, whether litigation or an enforcement action is likely to result from the incident, and the impact on a company’s goodwill. Registrants should keep a close eye on SEC guidance and enforcement actions to understand how the SEC weighs these and other factors in the materiality analysis.
It appears the SEC realizes, by making the trigger date the date of the materiality determination rather than the date of the incident, that companies often will not have sufficient information at the outset of an incident investigation to make a fulsome materiality determination. However, a concern would be how this determination would be viewed in hindsight by the SEC. If a company delays disclosure of a cybersecurity incident because it does not yet have enough information from an investigation to determine materiality, will it be punished later if the event becomes material and its stock price declines following a later disclosure? The SEC specifically notes in the Proposed Rules that an ongoing investigation (whether internal or external, including by law enforcement) does not justify a reporting delay of a cybersecurity incident that is material. Rather, the company must determine materiality “as soon as reasonably practicable after discovery of the incident.”
The four-business-day timeline would therefore pose challenges for companies in light of existing demands placed on organizations impacted by an incident. Identifying and securing the systems and data impacted by a cybersecurity incident can be a time-consuming and resource-intensive process. The data incident may also require the rapid engagement of outside professionals, such as privacy and data security counsel, forensic investigators, and data breach notification vendors. The data incident may also require the company to coordinate with law enforcement. Further complicating matters is the need for legal advice on the complex web of federal and state breach notification laws and regulations that govern notification to affected individuals, regulators, and other parties. These laws and regulations vary widely, including with respect to what organizations are covered, what data and/or systems are covered, the types of incidents that require notice to be provided, and what exceptions may apply.
Existing breach notification laws and regulations also stipulate when notice must be provided to affected individuals (and other parties). The timelines for notification vary, but the shortest explicit deadline for notifying affected individuals under generally applicable state breach notification laws is thirty days. Meeting that deadline can be a challenge due to the time it takes to determine, among other things, whether notice is required, the content of that notice, who must be notified, and what contact information should be used to notify them. The four-business-day timeline would likely require companies to make public disclosures without a full understanding of a given data incident. Another unfortunate result of the tight timeline is that Form 8-K disclosures may often precede notification to individuals affected by the data breach, as well as state attorneys general.
Updated Disclosure Related to Previously Disclosed Cybersecurity Incidents
The Commission is also proposing adding a new Item 106 to Regulation S-K. Item 106(d)(1) would require a company to provide updated disclosure in periodic reports about previously reported cybersecurity incidents. More specifically, it would require companies to disclose any material changes, additions, or updates to information required to be disclosed pursuant to new Item 1.05 of Form 8–K in the company’s quarterly report on Form 10-Q or annual report on Form 10-K for the period (the company’s fourth fiscal quarter in the case of an annual report) in which the material change, addition, or update occurred.[9] This type of update reporting should be familiar to companies, as it is similar to quarterly updates that are required for material developments related to legal proceedings previously reported.
In order to assist companies in developing updated incident disclosure in its periodic reports, proposed Item 106(d)(1) provides the following nonexclusive examples of the type of disclosure that should be provided, if applicable, in the quarterly updates:
- Any material impact of the incident on the company’s operations and financial condition;
- Any potential material future impacts on the company’s operations and financial condition;
- Whether the company has remediated or is currently remediating the incident; and
- Any changes in the company’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.[10]
Proposed Item 106(d)(2) would require disclosure when a series of previously undisclosed, individually immaterial cybersecurity incidents become material in the aggregate. This would require companies to analyze cybersecurity incidents for materiality both individually and in the aggregate. If a company determines that a series of incidents have become material in the aggregate, the following disclosures would be required:
- When the incidents were discovered;
- Whether the incidents are ongoing;
- A brief description of the nature and scope of such incidents;
- Whether any data was stolen or altered;
- The impact of such incidents on the company’s operations and actions; and
- Whether the company has remediated or is currently remediating the incidents.
Disclosure of Risk Management, Strategy, and Governance Regarding Cybersecurity Risks
Proposed Item 106(b) of Regulation S-K would require companies to describe their policies and procedures, if they have any, to identify and manage cybersecurity risks and threats, including operational risk, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal risk, and reputational risk. Specifically, the new item would require disclosure of whether:
- The company has a cybersecurity risk assessment program and if so, provide a description of such program;
- The company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
- The company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider, including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
- The company undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents;
- The company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
- Previous cybersecurity incidents have informed changes in the company’s governance, policies, procedures, or technologies;
- Cybersecurity-related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition and if so, how; and
- Cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation, and if so, how.
A secondary result of the proposed amendments is that companies will need to be proactive about ensuring they have implemented, among other things, a documented data security program and other safeguards designed to address risks posed by cybersecurity threats. The requirement to disclose the above information could reveal noncompliance with data security legal requirements, such as the Safeguards Rule, HIPAA, and state data security laws. Therefore, companies should work with counsel to evaluate their data security program and, at a minimum, implement any policies, procedures, and other safeguards that may be required under applicable law. The additional disclosure requirements set forth below present similar risks to the extent that the subject matter of a disclosure is tied to an underlying legal requirement.
Governance
Proposed Item 106(c) would require disclosure of a company’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the company’s cybersecurity policies, procedures, and strategies. This disclosure would include discussion of the following:
- Whether the entire board, specific board members, or board committee is responsible for the oversight of cybersecurity risks;
- The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.
Proposed Item 106(c)(2) would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the company’s cybersecurity policies, procedures, and strategies, including the following information:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
- Whether the company has a designated chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the company’s organizational chart, and the relevant expertise of any such persons;
- The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
- Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
Disclosure Regarding the Board of Directors’ Cybersecurity Expertise
Proposed amendments to Item 407 would require disclosure about the cybersecurity expertise of members of the board of directors, if any. If any member of the board has cybersecurity expertise, the company would have to disclose the name of any such director and provide such detail as necessary to fully describe the nature of the expertise. “Cybersecurity expertise” is not defined, however, proposed Item 407(j)(1)(ii) includes a list of criteria that companies should consider in reaching a determination on whether a director has expertise in cybersecurity:
- Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
- Whether the director has obtained a certification or degree in cybersecurity; and
- Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.
A person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including for purposes of Section 11 of the Securities Act. The designation as a cybersecurity expert would not impose any duties, obligations, or liabilities that are greater than those imposed on directors in general.
Conclusion
These proposed amendments would impose extensive new reporting obligations on public companies with respect to cybersecurity incidents and governance disclosures. We believe there are significant issues with the proposed amendments as written, including the following:
- The 8-K disclosure of a cybersecurity incident is required four business days after determination of an incident. At this early stage, companies are generally still investigating and gathering data about an incident. Not only would this make crafting an accurate disclosure challenging, but the disclosure itself could expose the company to additional cybersecurity and litigation risk. As written, there is no provision for delaying reporting until the completion of an investigation into an incident or notice has been provided to affected individuals and regulators that must be notified under federal or state breach notification laws. Therefore, the 8-K disclosure may precede notice to affected individuals and various federal and state regulators—something that may not sit well with either group.
- Disclosures regarding a company’s cybersecurity policies could assist cyber criminals in exploiting security vulnerabilities.
- There is a small supply of cybersecurity experts willing to serve on public company boards. These individuals are in high demand and will likely serve (or are already serving) on the boards of large companies. This leaves small companies with few options.
Hopefully, the SEC will consider these issues as part of the public comment process and revise the proposed rules before final versions are adopted. Companies should monitor and review the final rules, when adopted, in order to prepare for possible incident disclosures and review their cybersecurity governance procedures in preparation for new disclosure requirements. When a cybersecurity incident does occur, involving securities counsel early in the incident response process will be critical to minimizing legal risk.
[1] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11038; 34-94382 (Mar. 9, 2022), 87 FR 16590 (Mar. 23, 2022), available at, https://www.govinfo.gov/content/pkg/FR-2022-03-23/pdf/2022-05480.pdf.
[2] The public comments received on the Proposed Rules can be accessed here.
[3] See, Proposed Rules at pg. 16595.
[4] Under the Proposed Rules, “cybersecurity incident” means an unauthorized occurrence on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.
[5] Id.
[6] Id. at pg. 16595 (citing TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).
[7] Id.
[8] Id.
[9] Id. at pg. 16598.
[10] Id.