SEC Proposes Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rules

Nicholas Goldin and Karen Hsu Kelley are partners and Shanice Hinckson is an associate at Simpson Thacher & Bartlett LLP. This post is based on their Simpson Thacher memorandum.

On Wednesday, by 3-1 vote, the SEC approved proposed rules aimed at enhancing and standardizing disclosures made by public companies regarding cybersecurity risk management, strategy, governance and incident reporting, [1] reflecting the third rulemaking project the Commission has proposed in connection with cybersecurity in the past year. [2] The proposal, if adopted, would require mandatory reporting of material cybersecurity incidents and mandatory ongoing disclosures regarding companies’ governance, risk management, and strategy with respect to cybersecurity risks.

By way of background, in October 2011, the Division of Corporation Finance issued guidance that addressed disclosure obligations relating to cybersecurity risks and incidents explaining that, although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, public companies nonetheless may be obligated to disclose material risks and incidents in various sections of their periodic reports, e.g., their description of business, risk factors and management’s discussion and analysis of financial condition and results of operation sections. [3] In 2018, the Commission issued interpretive guidance to reinforce and expand upon the 2011 Staff Guidance by identifying existing provisions in Regulations S-K and S-X that may require disclosure about cybersecurity risks, governance, and incidents. [4] Notably, the guidance did not create any new obligations.

While the guidance set forth in both the 2011 Staff Guidance and the 2018 Interpretive Release would remain in place if the Commission adopts the proposed rules, the rules would mark the first securities disclosure obligations on issuers that are specifically tailored to cybersecurity events. Most significantly, the rules contemplate the disclosure of certain cybersecurity events far sooner than currently required.

The proposed rules:

  • Expand Form 8-K to add a new Item 1.05, which would require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident. An Item 1.05 8-K would be triggered on the date a registrant determines that a cybersecurity incident is material, rather than the date of discovery of the incident;
  • Expand Regulation S-K to include new Item 106(d), which would apply to both Forms 10-K and 10-Q, to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate;
  • Amend Item 407 of Regulation S-K to require disclosure in annual reports and/or proxy statements if any member of the registrant’s board of directors has expertise in cybersecurity, naming such director and any detail necessary to fully describe the nature of the expertise.

The proposed rules also contemplate the application of enhanced cybersecurity reporting to foreign private issuers through changes to the Form 20-F and Form 6-K requirements.

For purposes of the proposed rules, the Commission has provided the following definitions of “cybersecurity incident,” “cybersecurity threat” and “information systems” with respect to the proposed disclosure requirements.

  • Cybersecurity incident” is defined to mean an “unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
  • Cybersecurity threat” is defined to mean “any potential occurrence that may result in, an unauthorized effort to adversely affect the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.”
  • Information systems” is defined to mean “information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.”

In advocating for the new rules, Chair Gensler described cybersecurity as “an emerging risk with which public issuers increasingly must contend,” and further stated that “[t]he interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.” [5] In her dissenting statement, however, Commissioner Peirce cautioned that the proposal “flirts with casting [the SEC] as the nation’s cybersecurity command center, a role Congress did not give [the SEC].” [6]

On the one hand, companies have been required—under longstanding disclosure requirements—to disclose material cybersecurity events in their periodic SEC filings, and the proposed rules do not impact those obligations. However, the proposed rules are noteworthy because, among other things, they create a specific Form 8-K trigger for cybersecurity incidents that will mandate prompt consideration and continued evaluation of the materiality of an incident. While the proposed rules tie the trigger for disclosure to the date upon which a materiality determination is made rather than the date of the discovery of the incident, we nonetheless anticipate in practice that the proposed rules may in certain circumstances mandate disclosure earlier in the lifecycle of an event when less information is known. The prospect of an extremely compressed time frame for assessing the materiality of an incident reinforces the importance of having a pre-packaged set of procedures in place that clearly define roles and responsibilities for responding to cyber incidents. This would likely require companies to consider and perhaps implement changes to their existing disclosure controls and procedures, an area where the SEC has been recently focused. [7] Moreover, the SEC’s emphasis on the disclosure of board-level cybersecurity expertise and oversight will likely prompt public companies to assess the skill sets of their current and potential new directors with a new lens.

Conclusion

The Commission has made it clear that the economic risk and cost related to cybersecurity incidents has greatly increased since the Division of Corporation Finance issued its 2011 Staff Guidance and the 2018 Interpretive Release. Now, in an effort to achieve uniformity, the Commission has taken a bold step in proposing these more stringent cybersecurity rules. Given the Commission’s new proposal and its continued focus on cybersecurity related disclosures, as well as the continuing guidance in the Interpretive Guidance in 2018, public companies should consider a fresh review of their disclosure controls and their cybersecurity policies and procedures to assess whether any modifications are warranted.

Endnotes

1See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure as well as Public Company Cybersecurity Fact Sheet.(go back)

2On January 26, 2022, the Commission voted to propose expanding Regulation Systems Compliance and Integrity (SCI) to certain government securities trading platforms. Regulation SCI for ATSs That Trade U.S. Treasury Securities and Agency Securities. On February 9, 2022, the Commission voted to propose new obligations for registered investment advisers and funds with respect to cybersecurity. Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies.(go back)

3CF Disclosure Guidance: Topic No. 2—Cybersecurity (Oct. 13, 2011).(go back)

4Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018); No. 33-10459 (Feb. 21, 2018) [83 FR 8166].(go back)

5SEC Chair Gary Gensler, Statement on Proposal for Mandatory Cybersecurity Disclosures.(go back)

6Commissioner Hester M. Peirce, Dissenting Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Proposal.(go back)

7See Simpson Thacher, As Cyber Incidents Continue to Rise, the SEC Charges Issuer for Inadequate Disclosure Controls in the Context of a Data Breach as well as SEC Settles Charges With Pearson plc Relating to Disclosures Concerning Cyber Breach.(go back)

Both comments and trackbacks are currently closed.