SEC proposes requiring public companies to disclose cybersecurity incidents and governance

The U.S. Securities and Exchange Commission (“SEC”) has proposed regulations that would impose, for the first time as mandatory items, cybersecurity risk management, strategy, governance, and incident disclosure rules on U.S. public companies (including foreign private issuers), with the goal of enhancing and standardizing disclosures regarding these items. 

Specifically, the proposal would require disclosures about: 

• material cybersecurity incidents in Form 8-K and Form 6-K, and updates on these incidents in annual and quarterly reports; and
• risk management, strategy, and governance in annual reports on Forms 10-K and 20-F and other periodic reports, including: 
  • the company’s policies and procedures to identify and manage cybersecurity risks; 
  • management’s role in implementing cybersecurity policies and procedures; and 
  • the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk. 

The proposal would also require that these disclosures be presented in Inline extensible Business Reporting Language (“Inline XBRL”).

The public comment period will remain open until May 9, 2022, or 30 days following publication of the proposing release in the Federal Register, whichever period is longer. 

Considerations in light of the proposed rules

As described below, the SEC’s proposed rules ultimately come down to: (1) governance, (2) risk management and (3) disclosure. Companies should evaluate whether their board of directors and disclosure committee has sufficient visibility into their cybersecurity program to provide the right level of oversight. While it remains to be seen if the provision relating to disclosure of a cybersecurity expert on the board of directors survives the comment period, what is clear is that the SEC expects the board to have a deeper understanding of a company’s cybersecurity program and risks. To that end, companies should invest the necessary resources to conduct cybersecurity risk assessments (with a qualified consultant for the technical analysis and counsel for the regulatory mapping), and provide the high-level results of such risk assessments to the C-Suite and board of directors. The SEC is not the first regulator to focus on the risk assessment process in cybersecurity, and we expect that it will become an increasingly important element of cybersecurity oversight. Finally, companies should maintain an incident response plan that addresses the C-Suite and board roles, and those plans must be practiced through tabletop exercises.

Cybersecurity incident disclosure

The proposed rules would expressly require cybersecurity incident reporting in registrants’ annual and quarterly reports, as well as Forms 8-K and 6-K.

Current SEC regulations do not specifically require the disclosure of cybersecurity incidents, although in the last decade the SEC has twice issued guidance to remind companies to consider whether information about cybersecurity incidents is material to investors.

What the SEC staff says it has observed, however, is that current reporting is inconsistent, may contain insufficient detail, may not be timely, and can be difficult to locate. The SEC staff has sought to address this through the proposed rules, which it believes will benefit investors primarily because (i) more information and timely disclosure would reduce mispricing of securities and facilitate decision-making; and (ii) more uniform and comparable disclosures would lower costs.

Form 8-K reporting 

The SEC is proposing to amend Form 8-K to add Item 1.05 to require companies to disclose information about a material cybersecurity incident on or conducted through information systems owned or used by the company within four business days after the company determines that it has experienced a material cybersecurity incident. The fact that the requirement encompasses information resources “used by” the company raises questions over whether a company could obtain the information to make a materiality determination about incidents affecting resources that it uses but does not own.

If a cybersecurity incident occurs, Item 1.05 would require a company to make a materiality determination regarding the incident as soon as reasonably practicable after discovery of the incident. If the incident is determined to be material, then the company must disclose the following information to the extent known at the time of filing:

• when the incident was discovered and whether it is ongoing;
• a brief description of the nature and scope of the incident;
• whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
• the effect of the incident on the registrant’s operations; and
• whether the registrant has remediated or is currently remediating the incident.

The trigger for the Form 8-K filing would be the date on which the company determines that a cybersecurity incident is material, rather than the date of discovery of the incident. The proposal would not require a company to publicly disclose certain enumerated facts in such detail that would impede its response to, or remediation of, the incident.

Proposed Item 1.05 would not, however, provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident. Many states allow companies to delay providing public notice about a data breach incident if law enforcement determines that notification will impede a civil or criminal investigation. While it is now increasingly rare that law enforcement requests delays in notification, it is possible that Item 1.05 would require disclosure where state law disclosures are not yet required. 

As proposed, a company’s failure to timely file a Form 8-K that is required solely to report a cybersecurity incident would not affect a company’s eligibility to use Form S-3 or Form SF-3, and will not be deemed a violation of Rule 10b-5. 

Form 6-K reporting

Under the proposal, Form 6-K would be amended to add “cybersecurity incidents” as a reporting topic. As a technical matter, however, the amendment should not increase a foreign private issuer’s overall disclosure burden, since Form 6-K reporting requirements are only triggered by disclosures a company makes or is required to make public under the laws of its jurisdiction of incorporation; files or is required to file under the rules of any stock exchange; or otherwise distributes to its security holders (together, the “home jurisdiction disclosures”). 

In other words, Form 6-K disclosure of a cybersecurity incident is only required if a foreign private issuer were already making home jurisdiction disclosure of the cybersecurity incident. Indeed, as noted by the SEC staff, in the European Union the General Data Protection Regulation mandates disclosure of cybersecurity breaches and requires basic cybersecurity risk mitigation measures and governance requirements. Further, the information must also be material with respect to the company and its subsidiaries on a consolidated basis. However, given the clear importance of the issue to the SEC, foreign private issuers might  voluntarily choose to use the Form 8-K reporting requirements as a guide to disclosure.

Form 6-K must be filed “promptly” after the material constrained in the report is made public, but there is no specific deadline. Some foreign private issuers aggregate their routine business communications into a single Form 6-K to be filed on a weekly or monthly basis, but more important information – such as the disclosure of a material cybersecurity incident – would typically be furnished on Form 6-K the day after disclosure in the home jurisdiction.  

Annual and quarterly reports 

The SEC is also proposing to add new Item 106(d) to Regulation S-K and new Item 16J(d) to Form 20-F to require the following additional disclosures about cybersecurity incidents: 

• Updated disclosure on already disclosed incidents – If a company has already provided disclosure on cybersecurity incidents in Form 6-K or Form 8-K, it must disclose any material changes, additions, or updates regarding such incidents. The disclosure should include a discussion of the material effect and potential material future impacts of the incident on the company’s operations and financial condition; whether the company has or is remediating the incident; and any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.
• Series of previously undisclosed incidents – If previously undisclosed cybersecurity incidents that were deemed individually immaterial become material in the aggregate, a company would also be required to provide the following information: a general description of when the incidents were discovered and whether they are ongoing; a brief description of the nature and scope of the incidents; whether any data was stolen or altered in connection with the incidents; the effect of the incidents on the registrant’s operations; and whether the registrant has remediated or is currently remediating the incidents. An example would be where one malicious actor engages in a number of smaller but continuous cyber-attacks related in time and form against the same company and collectively, they are quantitatively or qualitatively material.

With respect to incident disclosure, where a foreign private issuer has previously reported an incident on Form 6-K, the proposal would require an update regarding the incident, consistent with proposed Item 106(d)(1) of Regulation S-K. The SEC is also proposing to amend Form 20-F to require foreign private issuers to make disclosures on an annual basis information about any previously undisclosed material cybersecurity incidents that have become material in the aggregate during the reporting period. 

Risk management, strategy, and governance disclosure

Under the proposal, new Items 106(b), 106(c) and 407(j) to Regulation S-K and new Item 16J to Form 20-F would also require disclosure regarding a company’s cybersecurity risk management, strategy, and governance. 

Specifically, the proposal would require a company to:

• describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether it considers cybersecurity as part of its business strategy, financial planning, and capital allocation; 
• describe the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies; and  
• disclose whether any member of the board of directors has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise (which could include prior work experience in cybersecurity, any relevant degrees or certifications, or any knowledge, skills, or other background in cybersecurity). The person would not be deemed an expert for purposes of Section 11 of the Securities Act of 1933. 

U.S. domestic registrants would be required to include the proposed disclosure about board expertise in both their annual reports and proxy or information statements. Since foreign private issuers are not subject to the SEC’s proxy rules, they would only be required to include such disclosure in their annual reports. 

As noted by SEC Commissioner Hester Peirce, who voted against the proposal, the disclosure requirement regarding a board cybersecurity expert is reminiscent of the Sarbanes-Oxley Act disclosure requirement relating to audit committee financial experts. While the proposal does not require a company to have a cybersecurity expert, the requirement to disclose whether it has a cybersecurity expert may in practice turn into a requirement to have one on the board. 

Inline XBRL requirements

The proposal would also require companies to tag the information specified by Item 1.05 of Form 8-K, Items 106 and 407(j) of Regulation S-K and Item 16J of Form 20-F in Inline XBRL, which would include block text tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed within the narrative disclosures.

                                                            * * * 

We will continue to monitor developments in these areas and encourage you to contact us if you have any questions.