Paul Ferrillo is partner at Seyfarth Shaw LLP; Bob Zukis is Adjunct Professor of Management and Organization at the USC Marshall School of Business; and Christophe Veltsos is a Professor at Minnesota State University.
One month prior to their March 9th announcement, the SEC released their proposed cyber rules specifically for registered investment advisers and registered investment funds. They have now turned their attention to public reporting companies and are proposing regulatory changes to cyber incident reporting, cyber risk management and cyber governance.
The last time the SEC issued interpretive guidance for public companies on cyber risk was in 2018 (see 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures). [1] Since then, there have been litigation releases that have also provided guidance to public companies on their cybersecurity disclosure controls and obligations. [2] We summarized some of these releases in a prior Harvard Law Forum article to help public companies understand the scope of their reporting obligations. [3]
What these prior Commission statements and litigation releases failed to deliver on, the new proposed rules significantly raise the bar on. These proposed rules appreciably increase corporate accountability on cyber risk from the boardroom on down. By becoming more specific and prescriptive the SEC is addressing observed shortcomings and inconsistencies in cyber incident reporting practices that range from whether an incident is even disclosed, what gets disclosed as well as when and how companies govern and manage cyber risk. No longer just unevenly interpreted self-regulatory guidance, these are proposed regulatory changes that apply to all issuers.
On March 9, 2022, when the SEC turned its attention to public companies, SEC Chair Gensler commented:
Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting. [4]
In our opinion, the vagaries and self-regulated approach of the SEC’s prior guidance had not created significant or universal improvement in the timeliness or consistency of disclosures related to cyber incidents. Their prior interpretive guidance had also not created wide-spread and material improvement in cyber risk oversight or cyber risk management practices and policies within issuers. The widening cyber risk exposure gap threatening investor interests is the result of the ongoing escalation of cyber risk and its escalating impacts compared to the slow-moving evolution of meaningful cyber governance and management reform. The SEC’s proposed rules are meaningful steps towards fixing that discrepancy.
The New Materiality/Incident Reporting Burden on Issuers
One proposed amendment to Form 8-K now expressly requires registrants to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident, as opposed to the incident’s date of discovery. This amendment expressly adds material cybersecurity incidents to the long list of other significant events to be reported on Form 8-K in addition to providing structure to what should be disclosed. The proposed rule would add item 1.05 to Section 1-Registrants Business and Operations of Form 8-K.
The SEC has designated Form 8-K as the primary vehicle for the reporting of a cybersecurity incident within four days of when the company determines the incident is material. But prior to the release of the proposed rules for public companies there was very little guidance as to what the Form 8-K should say. Now, we have guidance in the proposed rules, which explain what the 8-K should cover:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incident.
The proposed rules note:
We believe that this information would provide timely and relevant disclosure to investors and other market participants (such as financial analysts, investment advisers, and portfolio managers) and enable them to assess the possible effects of a material cybersecurity incident on the registrant, including any long-term and short-term financial effects or operational effects.
Notably, this change includes a subtle yet impactful shift to when an incident should be reported to be “within four business days after the registrant determines that it has experienced a material cybersecurity incident.” The prior “general” standard was the date that an incident was discovered. This new disclosure trigger date puts an increased burden on issuers to understand the impacts of a cyber breach and what constitutes materiality. As ransomware continues to escalate, the business impacts of cyber risk are now extending well beyond equity risk. They include significant financial costs, fines, penalties and litigation costs, business continuity risks, and the far-reaching economic exposures of third-party and other systemic risk impacts.
This new provision will not only require companies to understand materiality in the context of a breach, but it will have the effect of challenging boards and management teams to understand materiality in financial terms before breaches occur. Calculating projected, or expected cyber losses is something rarely done at present. But estimating this potential liability shares common ground with any estimate of probable and estimable losses such as loan loss reserves for banks, warranty liabilities for manufacturers or doubtful accounts receivable for any company.
Whereas corporate leadership may have felt that cyber insurance effectively transferred the majority of their risk exposure to a third-party, the reality of the expanding impacts of cyber risk means that issuers are primarily self-insured for the significant majority of the cyber risks and costs that they face. This proposed change will now force corporate boards and management to have a new understanding of the far-reaching economic impacts inherent within their cyber risk environment, the specifics of their cyber control practices and policies from the boardroom down, and the specific impacts of a breach.
Both Bridgestone and Toyota recently reported that they shut down part of their operations because of a cyber-attack. Not as a direct result of the attack, but because they didn’t understand how cyber risk impacts their broader operating environment and this was the only way they could control the impacts of the breaches. This subtle but powerful proposed SEC rule change will require much more depth of understanding to the potential liabilities related to cyber risk.
In addition to forcing more accountability to understanding cyber risk, the SEC is suggesting this change based upon their view that many companies either “took their time,” or did not report at all, leaving investors in the dark as to the consequences of the material breach while the stock traded on the open market. As an example, we recently wrote about the case of First American Financial Corporation and its disclosure controls:
The company shortly thereafter issued a press release and disclosure to the SEC through Form 8-K. However, unbeknownst to both the board and senior management (who were responsible for filing the Form 8-K disclosure), the vulnerability, which dated back to 2014, was discovered by senior IT management in December 2018 and documented as “serious” in a security assessment report. Despite identifying and documenting the vulnerability, it was never remedied until Brian Krebs made his announcement.
[…]
Indeed, subsequent to the May 28, 2019, Form 8-K, the company’s information security personnel determined that the vulnerability had, in fact, existed since 2014. Because the critical vulnerability was not escalated, the senior executives lacked the information required to fully evaluate the company’s cybersecurity responsiveness and risk. Thus, the SEC noted as of May 24, 2019, First American did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data. [5]
New Levels of Boardroom Cyber Accountability
The twentieth anniversary of The Sarbanes-Oxley Act of 2002 occurs this year. One of the sweeping changes this legislation made was for issuers to have qualified financial experts amongst their corporate director ranks [6]. An obvious boardroom competency in hindsight, the SEC’s new proposed rule is also addressing cybersecurity expertise in the corporate boardroom to increase corporate director understanding and accountability of cybersecurity. Strengthening the boardroom as a critical cyber control in 2022 is as vital as strengthening the boardroom as a critical financial reporting control was in 2002.
The SEC’s proposed rules will amend Item 407 of Regulation S-K relating to corporate governance to now also require disclosure if any member of the registrant’s board has cybersecurity expertise. This will create a very similar director disclosure requirement that mirrors the boards current obligation to disclose, and name, financial expertise on the audit committee that currently exists under Item 407. Including the requirement to describe the nature of the director’s cyber expertise.
“Cyber expertise” would follow the similar interpretation given to financial expertise that values true functional depth and understanding of these issues.
Proposed Item 407(j)(1)(ii) includes the following non-exclusive list of criteria that a registrant should consider in reaching a determination on whether a director has expertise in cybersecurity:
- Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
- Whether the director has obtained a certification or degree in cybersecurity; and
- Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning. [7]
The similar provision related to financial expertise that was enacted as part of corporate director competency reforms with SOX in 2002 had the effect of “forcing” boards to add significant financial and accounting depth to the board. This was nothing short of transformative to how companies approached financial and accounting controls, systems, policies, procedures and processes. Having true cyber expertise on corporate boards would add significant boardroom accountability that would drive similar levels of management transformation on cyber security controls, systems, policies, procedures, and processes.
Where do Public Companies Go from Here?
Two things have been clear since Chair Gensler took office: the cybersecurity pandemic was not going to go away anytime soon, and Chair Gensler’s focus on protecting the investor was—and continues to be—razor sharp. The new release aimed at public companies was demonstrative of this fact.
Accountability is increasing from SEC enforcement actions, shareholder derivative and other legal actions and now these proposed rule changes. The tone at the SEC and other regulators has changed. Clearly leaving these critical investor issues up to issuer self-regulation was not working. These proposed rules have a decidedly preventative focus bringing regulatory weight to key preventative controls that will address real cyber risk governance and cyber risk management shortcomings for the first time.
The writing on the wall is clear. Significant regulatory change to cyber risk is inevitable as the SEC begins to finalize these rules. These changes however aren’t anything that a high performing corporate board and management team can’t, or more accurately, shouldn’t already be doing.
Endnotes
1See SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb 26, 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf(go back)
2See SEC Charges Issuer with Cybersecurity Disclosure Controls Failures, available at https://www.sec.gov/news/press-release/2021-102(go back)
3See Cybersecurity and Disclosures, available at https://corpgov.law.harvard.edu/2021/10/04/cybersecurity-and-disclosures/(go back)
4See SEC announcement about proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (March 9, 2022), available at https://www.sec.gov/news/press-release/2022-39(go back)
5See Cybersecurity and Disclosures, available at https://corpgov.law.harvard.edu/2021/10/04/cybersecurity-and-disclosures/(go back)
6Zukis, Bob. “Are Cyber Experts on Boards Inevitable.” The Conference Board (June 16, 2016) available at https://www.conference-board.org/blog/postdetail.cfm?post=5917(go back)
7See p45 of SEC’s Proposed Rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (March 9, 2022) available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf(go back)