As a significant step in its ongoing initiatives on the disclosure, management and oversight of cybersecurity risks and incidents, on March 9, 2022 the U.S. Securities and Exchange Commission (SEC) proposed new rules that would significantly increase cyber-related disclosures by public operating companies. The proposed rules would:
- Require disclosure in Form 10-Q and Form 10-K reports of a series of specific disclosure topics related to cybersecurity risks, cybersecurity incidents and board and management structures, policies and procedures related to management and oversight of cybersecurity risks and incidents;
- Require accelerated disclosure of cybersecurity incidents by requiring companies to report cybersecurity incidents in a Form 8-K filing within four business days after the company determines that the incident was material, which the company must do “as soon as reasonably practicable after discovery”;
- Require disclosure in Form 10-Q and Form 10-K reports of any material changes or updates (including “any potential future impacts” on the company’s operations and financial condition) to a company’s Form 8-K disclosure of a cybersecurity incident;
- Require companies to identify any member of the board of directors who has expertise in cybersecurity matters, and to disclose the qualifications and experience of any such director in Form 10-K annual reports and proxy and information statements on Schedules 14A and 14C;
- Require companies to identify these disclosures using Inline extensible Reporting Language (Inline XBRL) to expedite access to the proposed disclosures by investors and regulators; and
- Amend Form 20-F and Form 6-K to require substantially similar disclosure by foreign private issuers (FPIs).
The proposed rules do not provide any disclosure exemptions or accommodations or any deferred compliance dates for companies that qualify as smaller reporting companies or emerging growth companies under SEC rules.
WHAT COMPANIES SHOULD CONSIDER DOING NOW
The proposed rules are the latest step in the SEC’s broad approach to cybersecurity matters such as risk management, corporate governance and strategy, incident reporting and public disclosure. Although the proposed rules are subject to comment and may change before the SEC adopts final rules, the proposed rules in their current form would significantly raise the bar for companies, so companies may wish to review the proposed rules now for general planning purposes. In addition, companies may wish to consider acting on some or all of the following points.
REVIEW AND UPDATE CYBERSECURITY DISCLOSURES, DISCLOSURE CONTROLS AND PROCEDURES AND CYBERSECURITY INCIDENT RESPONSE PLANS
Current Disclosure. Although it is not clear when the proposed rules will become final or how the final rules may change from the proposed rules, companies continue to be subject to current disclosure requirements about cybersecurity risks, incidents and related matters. These disclosures are an area of significant interest to investors, regulators, the media and others. If a company’s current cybersecurity disclosures could be viewed as stale or boilerplate, this may be a good opportunity for the company to review and update existing disclosures or add new disclosures, if appropriate. For example, the SEC staff views risk factor disclosure of potential cybersecurity risks as inadequate if the hypothetical risk has materialized in actual cybersecurity incidents and the company has not disclosed these incidents.
Disclosure Controls and Procedures. Similarly, although it is likely that the proposed rules, if adopted as proposed by the SEC, would require many companies to update their disclosure controls and procedures (DCP) for cybersecurity incidents, it may be appropriate for companies to review them now in light of current SEC disclosure requirements. The design and implementation of DCP that comply with SEC requirements will vary depending on the size and nature of a company’s business and is therefore a topic beyond the scope of this discussion. In general terms, however, DCP should provide reasonable assurance that potentially material information is appropriately identified, collected, tracked and reported, evaluated and, if appropriate, disclosed on a timely basis under SEC rules. As an example of areas for review, companies should determine whether information is captured directly from every area of business operations that is exposed to potentially material cybersecurity risks, rather than only from the company’s financial reporting systems. Because cybersecurity vulnerabilities are generally related to technology that changes more frequently than other parts of a company’s business, DCP that address cybersecurity risks may require more frequent review and potential modification than those that apply to other areas.
Incident Response Plans. Finally, although the accelerated disclosure requirements of the proposed rules would place a premium on comprehensive and highly responsive incident response plans, these plans are already very important. Good incident response plans can be an essential part of protecting a company’s business and fulfilling the fiduciary obligations of its directors. Advance retentions of outside counsel and forensic vendors are key elements of a response plan that can help companies avoid costly or catastrophic delays and assure that privilege attaches to those efforts. Companies should consider reviewing their incident response plans to ensure that a materiality analysis is included in the early phases of the plan. Companies that are not already doing so should schedule regular tabletop exercises to test the operation of their cybersecurity incident response plans and identify areas that may require changes. Although complying with SEC disclosure requirements – current and as modified by the rules finally adopted by the SEC – is ultimately secondary to protecting a company’s business, careful planning and a well-tuned and tested incident response plan should help ensure that external communications are not misleading or made selectively, and do not get ahead of the forensic investigation and responses.
CONSIDER PROVIDING COMMENTS ON THE PROPOSED RULES
As discussed in greater detail below, the proposed rules would significantly expand and accelerate cyber-related disclosure requirements for companies. The proposing release includes numerous requests by the SEC for comments on the proposed rules. Companies that have concerns about the proposed rules should consider whether they would like to provide comments on the proposed rules using the SEC’s online form. Companies can also provide comments by email or paper using procedures described on the SEC website. All comments will be publicly available on the SEC website. Among the proposals on which companies might wish to provide comments are the following:
- Accelerated Reporting of Cybersecurity Incidents on Form 8-K. The proposed rules would require companies to report cybersecurity incidents within four business days after the company determines that the incident was material. Materiality determinations are often both difficult and subjective, and the proposed rules would require companies to make this determination “as soon as reasonably practicable after discovery of the incident.” This may place significant burdens on management and require the company to engage significant external resources, and may also result in significant expenses.
- In addition, because it may be reasonably clear that an incident is material before the company can establish all of the material facts of the incident, the accelerated reporting requirement also significantly increases the likelihood that companies will need to update or correct the initial Form 8-K disclosures to reflect material information discovered after that filing. The proposed rules require companies to disclose any material changes or updates in the Form 10-Q or Form 10-K report for the period during which the company becomes aware of the new information, but it may be advisable under certain circumstances for companies to file one or more amendments to the initial Form 8-K report. The potential for something like real-time reporting could result in a lack of clarity for investors and exacerbate a company’s time and expense burdens as everyone attempts to stay on top of disclosure that might be changing frequently, even daily.
- Moreover, if the company determines that the incident was material, the proposal requires disclosure within four business days without any consideration of the potential results on pending law enforcement or other investigations or on notification or other requirements under federal or state laws. The SEC acknowledges in the proposing release that the proposed rules prioritize speedy disclosure over the potential impacts on law enforcement investigations that could reduce or eliminate the impact of the cybersecurity incident on the company and its shareholders and prevent or limit future impacts on others. Companies, investors and others may balance these considerations differently and may want to comment on the rigidly inflexible four business day reporting window. It may also complicate the conduct of investigations by the company or regulatory and law enforcement agencies because the proposed rules do not provide any exceptions or reporting delays for incidents where public disclosure could harm or interfere with an investigation. Similarly, the proposed rules provide no exceptions for conflicts with notification requirements under state or federal consumer or other laws, many of which permit delaying consumer notification upon the request of law enforcement authorities.
- “Cyber Expert” Identification and Qualifications. The proposed rules would require companies to identify any member of its board of directors or similar governing body who qualifies as an expert on cyber matters, based on the factors specified in the proposed rules. Although investors, proxy advisory services and others may have a positive view of the presence of one or more cybersecurity experts on a company’s board of directors, directors may have liability and other concerns about being designated as an expert even though the proposed rules include provisions that would protect directors in some circumstances.Companies may also be concerned that requiring disclosure of director expertise will create pressure on directors to acquire or enhance their cyber expertise while at the same time creating greater competition for companies to attract these directors and causing companies that find themselves lacking board expertise in this area to face pressure in the marketplace or from activist investors.
- Required Degree of Disclosure Specificity. Proposed Item 106 of Regulation S-K, which would require companies to make disclosures about cyber-related risk management, governance and strategy matters, may require companies to provide cyber-related disclosure with a degree of specificity that may cause concerns about exposing a company’s vulnerabilities or providing a roadmap that could expose companies to greater risks. The SEC specifically requests comments on whether the proposals would cause “concerns that certain disclosures required under Item 106 would have the potential effect of undermining a [company’s] cybersecurity defense efforts or have other potentially adverse effects by highlighting a [company’s] lack of policies and procedures related to cybersecurity.” There are related concerns about the proposed disclosure about the use of, and reliance on, third-party service providers.
- Application to FPIs, Smaller Reporting Companies and Emerging Growth Companies. The proposed rules do not provide any exemptions or disclosure accommodations for FPIs or for companies that qualify as smaller reporting companies or emerging growth companies under SEC rules, nor do they provide any deferred compliance dates for these companies. Companies that have concerns about the resources required to comply with some or all of the proposed rules may wish to comment on these concerns.
PUBLIC COMMENT PERIOD
The proposed rules are subject to a public comment period that ends on the later of 30 days after publication in the Federal Register or May 9, 2022. As noted above, interested parties can provide public comments on the proposed rules using the SEC’s online form or by email or on paper using the procedures described on the SEC website.
The proposed rules are the most recent development in the SEC’s regulation of the management and disclosure of cybersecurity risks and cybersecurity incidents that began more than a decade ago. The staff of the SEC Division of Corporation Finance published CF Disclosure Guidance: Topic No. 2 – Cybersecurity in October 2011. In February 2018, the SEC published its Commission Statement and Guidance on Public Company Cybersecurity Disclosure, described in an earlier Goodwin alert.
More recently, the SEC’s focus on cyber-related issues has appeared in many forms. For example, SEC Chair Gensler and other senior SEC staff have made numerous speeches and statements on the importance of cyber-related matters and the SEC’s regulatory agenda. In February 2022, the SEC proposed a package of new rules and amendments to enhance cybersecurity preparedness and improve cyber resilience of investment advisers and investment companies against cybersecurity threats and attacks, as described in a recent Goodwin alert. Addressing cyber-related matters in other ways, the SEC Division of Enforcement has taken enforcement action in a variety of cases since June 2021, including among others cases in which it (1) imposed a $1 million penalty on a public company based on charges that the company misled investors about a 2018 cyber intrusion and failed to maintain disclosure controls and procedures that complied with SEC rules, (2) imposed a $487,000 penalty based on charges that the company failed to maintain adequate DCP for cybersecurity risks and incidents and (3) sanctioned eight firms that were registered with the SEC as investment advisors and/or broker-dealers for cybersecurity policies and procedures failures.
The SEC expresses concern in the proposing release that current disclosure about cybersecurity risks and incidents, and how companies manage and oversee cyber-related issues, “may contain insufficient detail and … is inconsistent, may not be timely, and can be difficult to locate.” The proposed rules would address each of these concerns, as described below.
SUMMARY OF THE PROPOSED RULES
The rules proposed by the SEC would, if adopted in their current form, significantly expand and accelerate disclosure of cybersecurity risks, cybersecurity incidents and the board- and management-level structures and controls and procedures that companies rely on to manage and oversee cybersecurity risks and incidents. Although disclosure requirements do not necessarily lead to substantive changes, it is possible that enhanced disclosure requirements could over time lead companies to adopt higher or at least more uniform standards for cyber-related disclosures. The proposed rules include the following:
- Amend Form 8-K to require companies to disclose information about a cybersecurity incident within four business days after the company determines that it has experienced a material cybersecurity incident; amend Regulation S-K and Forms 10-Q and 10-K to require disclosure in the report for the relevant period of any material changes or updates to prior Form 8-K disclosure of material cybersecurity incidents (specifically including any material impacts and “any potential material future” impacts on the company’s operations and financial condition) and amend Form 8-K to require disclosure if the company determines that a series of previously undisclosed cybersecurity incidents that were individually immaterial has become material in the aggregate; and amend Form F-6 to add “cybersecurity incidents” as a reporting topic for FPIs.
The proposed Form 8-K amendments are likely to be the most controversial proposal. The proposal would require companies to file reports of cybersecurity incidents on Form 8-K within four business days after the company determines that a cybersecurity incident was material.
Definition of “Cybersecurity Incident.” The proposed rules define “cybersecurity incident” as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The proposing release provides a non-exhaustive list of five examples that highlight the scope of cybersecurity incidents subject to reporting under the proposed rules. Among others, the examples include (1) accidental exposure and deliberate attacks that compromise the security of data, systems or networks, (2) unauthorized access involving altered or stolen business or personally identifiable information, and (3) incidents in which a malicious actor demands payment to restore stolen or altered company data or offers to sell or threatens to publicly disclose company data. Reflecting the SEC’s more expansive charge, these factors are broader than those contained in most state data breach reporting laws, for example, which focus on personally identifiable information.
Required Disclosure. The required disclosure would include the following, to the extent known by the company at the time of filing: when the incident was discovered and whether it is ongoing; a brief description of the nature and scope of the incident; whether any data was stolen or altered, accessed, or used for any other unauthorized purpose; the effect of the incident on the company’s operations; and whether the company has remediated or is currently remediating the incident.
Untimely Filings and Form S-3 Eligibility. Consistent with current SEC rules, the proposed rules would amend Form 8-K to include untimely filing of an Item 1.05 report among the others that do not result in loss of eligibility to use Form S-3.
Materiality Standard. The proposing release indicates that materiality for purposes of proposed Item 1.05 would be consistent with established standards under which information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if the information would have “significantly altered the ‘total mix’ of information made available.” The proposing release adds that materiality determinations require analysis that goes beyond quantitative factors, consistent with the interpretive guidance in Staff Accounting Bulletin No. 99, Materiality.
Reporting Challenges for Companies. Materiality determinations can require challenging analysis of facts and potential future circumstances, and Item 1.05 would be likely to require determinations that in many cases would be among the most difficult required by SEC rules. The proposing release highlights these challenges when it states that companies:
would need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material (emphasis added). Even if the probability of an adverse consequence is relatively low, if the magnitude of the loss or liability is high, the incident may still be material; materiality “depends on the significance the reasonable investor would place on” the information.
Although this statement is consistent with current legal standards for materiality, cybersecurity incidents may often be very complex from both quantitative and qualitative perspectives. The facts and their potential impact may be uncertain, especially shortly after the incident. The company’s analysis may require the assistance of outside technology experts, as well as legal and accounting advice, which can require significant time and expense. The compressed timeframe for evaluation and disclosure, and the fact that this disclosure is “filed” and therefore incorporated into the company’s shelf registration statements for disclosure and liability purposes, may cause additional concerns. Moreover, as discussed below, if the company determines that the incident was material, the proposal would require the company to file a Form 8-K report within four business days, without any consideration of the potential results on pending law enforcement or other investigations or any requirements under state or federal laws.
To address concerns that companies may delay making a determination that a cybersecurity incident was material, the new Form 8-K disclosure under Item 1.05 would require companies to make materiality determinations “as soon as reasonably practicable after discovery.” The SEC amplifies this requirement in the proposing release, stating that “[i]f we adopt the date of the materiality determination as the Form 8-K reporting trigger, as proposed, we expect [companies] to be diligent in making a materiality determination in as prompt a manner as feasible.”
Potentially further complicating the process of satisfying the requirements of proposed Form 8-K Item 1.05, the proposed disclosure requirement would apply even if the company or a regulatory or law enforcement agencies are investigating the incident. In the proposing release, the SEC states that:
we recognize that a delay in reporting may facilitate law enforcement investigations aimed at apprehending the perpetrators of the cybersecurity incident and preventing future cybersecurity incidents. On balance, it is our current view that the importance of timely disclosure of cybersecurity incidents for investors would justify not providing for a reporting delay.
The SEC’s judgment that the harm to the company, its customers, suppliers and investors that could result from disclosure that compromised or potentially nullified any positive results from a law enforcement investigation is outweighed by the benefits of speedy — arguably premature — disclosure may not be shared by the persons and parties with a direct stake in the results. As a related point, the proposal does not provide any accommodations for the impact of state law notice requirements that may permit companies to defer public disclosure of a cybersecurity incident if law enforcement authorities request.
Without minimizing the importance of prompt disclosure, companies may encounter difficulties when simultaneously assessing a cybersecurity incident, managing interactions with outside technical experts, lawyers and accountants, conducting an internal investigation and responding to a potential investigations by regulatory and/or law enforcement agencies, satisfying state and/or federal consumer or customer notification requirements and complying with a four business day Form 8-K reporting requirement. If nothing else, this proposal would increase the already great need for rapid response plans.
Disclosure of Individually Immaterial Incidents. The accelerated cybersecurity incident reporting requirements may cause other challenges or concerns. For example, the proposal would require companies to report a series of previously undisclosed individually immaterial cybersecurity incidents if the series of incidents has become material in the aggregate. Ensuring that the company’s DCP capture and keep track of individually immaterial incidents and provide a reasonably reliable notification that these incidents may in the aggregate have become material may present significant practical challenges. Notably, the proposal refers to “a series” of incidents, rather than a series of related incidents, and provides no guidance on how companies should determine which immaterial incidents should be aggregated for purposes of this disclosure requirement.
Disclosure of Potential Material Future Impacts. Another notable issue is the requirement to disclose “[a]ny material effect of the incident on the [company’s] operations and financial condition . . . [and any] potential material future impacts on the [company’s] operations and financial condition.” Neither the proposed amendment nor the proposing release provide any guidance on whether companies should view the requirement to report “potential material future impacts” as consistent with the disclosure requirements for known trends and uncertainties in Management’s Discussion and Analysis (Item 103 of Regulation S-K) as amended by the SEC in 2020 and discussed in this Goodwin alert.
- Amend Form 10-K to require the disclosure specified in proposed Item 106 of Regulation S-K regarding cybersecurity policies and procedures, cybersecurity governance (including the role of board oversight), and management’s role and expertise in assessing, implementing and managing cybersecurity related policies, procedures and strategies, and amend From 20-F to require disclosure essentially identical to the disclosure required by Item 106 and Form 10-K.
Proposed Item 106 of Regulation S-K would be required in Form 10-K annual reports. The proposed amendments to Form 20-F annual reports filed by FPIs would require essentially identical disclosure in new Item 16J. These would require companies to address, to the extent applicable, a lengthy list of specific disclosure topics related to the company’s policies and procedures for the identification and management of cybersecurity threats. Item 106 and Item 16J would also require companies to respond to a lengthy and specific list of factors related to the role of the board of directors or similar governing body in overseeing cybersecurity risks and the role of the company’s management in assessing and managing risks related to cybersecurity and implementing the company’s cybersecurity policies, procedures and strategies.
These disclosure requirements are based on detailed lists of topics that companies must address and represent a notable return to prescriptive disclosure requirements. The SEC has in recent years largely abandoned prescriptive line-item disclosure requirements in favor of more general, less specific “principles based” disclosure requirements. The return to prescriptive disclosure requirements in these proposals is likely intended to promote more uniform disclosure and facilitate comparisons by investors and market professionals.
- Amend Item 407 of Regulation S-K to require disclosure in annual reports on Form 10-K and Form 20-F, and proxy and information statements on Schedule 14A and Schedule 14C, if any member of the company’s board of directors has cybersecurity expertise.
This proposal is similar to the existing requirement that companies disclose whether the board of directors has designated one or more directors as an “audit committee financial expert” (or if not, why not). Designation as a cybersecurity expert may raise liability concerns. Like the audit committee financial expert disclosure requirement, the proposal does not define “expert” status, but includes a non-exclusive list of criteria that may be considered when determining whether a director has cybersecurity expertise. These include factors such as the director’s work experience, relevant education or certifications, and knowledge, skills and background. To address potential liability concerns, the proposal includes safe harbor provisions that are similar to those included as part of the audit committee financial expert disclosure requirements.
Because cybersecurity issues have become increasingly important to investors, companies that have one or more directors who could be described as cybersecurity experts under this proposal may, on balance, view this proposal as an opportunity for disclosure that makes the company more attractive to potential investors.
- Amend SEC rules to require companies to identify the proposed disclosures in SEC filings using Inline XBRL.
To expedite access to the proposed disclosures by investors and regulators, the proposed rules would require companies to identify these disclosures using Inline extensible Reporting Language. Inline XBRL tagging would address the SEC’s concerns that cybersecurity-related disclosure can occur in a variety of locations in SEC reports.
Cybersecurity and ESG (Environmental, Social and Governance) disclosures are currently the center of attention for large numbers of investors, regulators, proxy advisory services, media outlets and lawmakers, as well as the general public. The Biden administration and Chair Gensler have identified new requirements for cybersecurity and ESG disclosure as high priorities. We expect the SEC to propose new disclosure requirements for ESG matters later this year. Although the timing and final requirements of new disclosure requirements for cyber-related and ESG matters are uncertain, there is little or no uncertainty that companies will face significant new disclosure requirements in the near future.