1Release at 5 (citing CF Disclosure Guidance: Topic No. 2—Cybersecurity (Oct. 13, 2011), https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm).(go back)

2Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 21, 2018), https://www.sec.gov/rules/interp/2018/33-10459.pdf.(go back)

3See, e.g.In the Matter of Altaba Inc., Release No. 33-10485 (Apr. 24, 2018), available at http://www.sec.gov/litigation/admin/2018/33-10485.pdf.(go back)

4Materiality hinges on there being a substantial likelihood that a reasonable investor—i.e., one focused on financial returns—would consider the information important in making an investment decision. See, e.g.TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976).(go back)

5As one commenter pointed out, this failure could raise separation of powers concerns. See Comment Letter from National Retail Federation at 8-9 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128322-291085.pdf (suggesting “serious concerns” that the Securities Act and Exchange Act violate the non-delegation doctrine if the Acts “delegate[] limitless authority for the SEC to require public disclosures on any

topic it deems in the ‘public interest’ or as ‘protecting investors.’”).(go back)

6Release at 100, 107 (citations omitted). See also id. at 101 (“The Commission has long relied on the broad authority in these and other statutory provisions to prescribe rules to ensure that the public company disclosure regime provides investors with the information they need to make informed investment and voting decisions, in each case as necessary or appropriate in the public interest or for the protection of investors.”) (citations omitted).(go back)

7Release at text accompanying n.407.(go back)

8See, e.g., 17 CFR §229.106(c)(2)(i) (requiring companies to disclose the “relevant expertise” of persons who manage cybersecurity risk “in such detail as necessary to fully describe the nature of the expertise.”); 17 CFR §229.106(c)(2)(ii) (requiring companies to disclose “[t]he processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents”); Form 8-K, Item 1.05 (requiring a company that “experiences a cybersecurity incident that is determined by the registrant to be material, [to] describe the material aspects” of the cybersecurity incident within four business days of the materiality determination).(go back)

9In addition to the items listed in supra note 8, companies must disclose “processes, if any, for assessing, identifying, and managing material risks . . . in sufficient detail for a reasonable investor to understand those processes.” 17 CFR §229.106(b)(1). Further, companies must disclose their use of “assessors, consultants, auditors, or other third parties,” and processes for monitoring threats from “third-party service provider[s].” 17 CFR §229.106(b)(1). Companies also must disclose how cybersecurity threats have materially changed how they run the company and how both their board and management handle cybersecurity threats. 17 CFR §229.106(b)(2), (c)(1), and (c)(2). Companies must further identify management positions or committees that handle cybersecurity and how they keep a company’s board informed. 17 CFR §229.106(c)(2).(go back)

10See Comment Letter from U.S. Chamber of Commerce (“Chamber”) at 26 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128398-291304.pdf (“According to some government officials and industry professionals, the proposed rule’s governance disclosure requirements ‘embody an unprecedented micromanagement’ by the SEC pertaining to the composition and functioning of both the management and the boards of companies. . . . It is hard to avoid the conclusion that the Commission is trying to stipulate that companies take specific cybersecurity actions. The SEC should not use its disclosure rules to prescriptively influence company activity in this regard; nor should it overstep its disclosure authority. The Commission would be granting itself additional authority to push companies on how they should operate their cybersecurity programs. The Commission should not require disclosures designed to unduly influence company behavior where it does not have such expertise.”).(go back)

11Release at 107 (“The final rules are indifferent as to whether and to what degree a registrant may have identified and chosen to manage a cybersecurity risk.”).(go back)

12See Comment Letter from NYSE Group, Inc. at 2 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128356-291125.pdf (“[M]any public companies have already developed robust cybersecurity policies and procedures that enable them to manage risks unique to their businesses and make required disclosures consistent with previous Commission guidance. The NYSE is concerned that the Proposal’s disclosure requirements could result in the creation of de facto minimum standards that . . . constrain management’s ability to address cybersecurity risks in a manner most suitable for their business. . . . [For example w]hen formulating a cybersecurity risk management plan, the Exchange worries that the prescriptive requirements of proposed Item 106 may lead to corporate decision making that is driven in greater part by a desire to fit within perceived norms than by what makes sense organizationally.”); Comment Letter from Dr. Jayanthi Sunder, Dr. Isabel Wang, Dr. John Jiang, and Dr. Musaib Ashraf, The University of Arizona and Michigan State University at 3 (May 8, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128266-290115.pdf (“Ashraf (2021) studies how greater SEC guidance on cybersecurity risk factors impacts the structure of these risk factor disclosures. He documents herding behavior: after the SEC’s 2011 cyber risk disclosure guidance, firms issued less unique cybersecurity risk factors and started issuing risk factors that more closely match the wording of the SEC’s 2011 guidance. He also finds that shareholders find more unique (not boilerplate) cybersecurity risk factor disclosures to be more informative. . . . If the SEC issues further guidance on how firms should disclose cybersecurity risk factors, the findings of Ashraf (2021) suggests that firms will herd towards what the firms think the SEC wants them to disclose rather than disclosing risk factors that appropriately represent a firm’s cybersecurity risk.”) (citing https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3807487); see also Comment Letter from SIFMA at 7 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128347-291108.pdf (“[R]equiring excessive or specified granular detail could make for misleading or unhelpful boilerplate.”); Comment Letter from Jerry Perullo at 11 (May 4, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20127883-289397.pdf (“[F]orcing [smaller firms] to implement policies [by requiring the disclosure items under Item 106] is likely to drive them into downloading reams of boilerplate policy that is not reflective of culture and practices.”) (emphasis omitted).(go back)

13For example, in the recent Activision Blizzard Inc. settlement, the SEC leveraged the Exchange Act’s requirement to have “disclosure controls and procedures” to criticize a company for its poor response to workplace misconduct. See https://www.sec.gov/news/statement/peirce-statement-activision-blizzard-020323.(go back)

14Other local or federal agencies might have a greater interest in non-disclosure. The charge of the Cybersecurity and Infrastructure Security Agency (“CISA”), for example, is to “understand, manage, and reduce risk to our cyber and physical infrastructure” and “defend and secure cyberspace by leading national efforts to drive and enable effective national cyber defense, resilience of national critical functions, and a robust technology ecosystem.” https://www.cisa.gov/aboutSee also Comment Letter from Bank Policy Institute et al. (“BPI et al.”) at 13 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128336-291093.pdf (“[W]e believe the Proposed Rules should provide for delayed disclosure at the request of CISA in limited circumstances to support CISA’s critical responsibility to ‘coordinate[] the execution of our national cyber defense, lead[] asset response for significant cyber incidents and ensure[] that timely and actionable information is shared across federal and non-federal and private sector partners.’”) (quoting Cybersecurity & Infrastructure Security Agency, About CISAhttps://web.archive.org/web/20220510182532/https://www.cisa.gov/about-cisa).(go back)

15See Comment Letter from Society for Corporate Governance at 10 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20129132-295036.pdf (“Given the four-business day Form 8-K deadline after determining materiality, we believe it would be impossible to obtain such a written national security determination from the Attorney General or other high-level agency officials in advance of that deadline.”).(go back)

16The final rules allow an initial delay of thirty days, followed by a possible thirty-day extension, and then, only in “extraordinary circumstances,” another sixty-day delay. Form 8-K, Item 1.05(c). Additional extensions require a Commission exemptive order.(go back)

17Form 8-K, Item 1.05(d).(go back)

18The Health Insurance Portability and Accountability Act (“HIPAA”) requires breached companies to delay notifying affected individuals and media upon the written request of “a law enforcement official” for a period specified by the official. 45 CFR § 164.412. The SEC’s law enforcement exception differs with respect to the length of the reporting delay, which type of law enforcement official can authorize a delay, and the permissible grounds for delay. The Commission argues that the HIPAA notifications focus on affected individuals and the media, not investors. See Release at 44-45. An 8-K disclosure, of course, could have the effect of informing individuals and the media of a breach. One purpose of a law enforcement exception is to give law enforcement the time and space to identify those behind the breach, which could be undermined by the 8-K filing. See also Comment Letter from Confidentiality Coalition at 2 (May 5, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128294-291029.pdf (“HIPAA allows for a reporting delay if a law enforcement official indicates that a notification, notice, or posting required under HIPAA would impede a criminal investigation or result in harm to national security. Here, the proposed rule fails to provide any reporting delay when there is an ongoing investigation of a cybersecurity incident. Failing to recognize a delay for notification by law enforcement will undermine HIPAA, and increase risk to the registrant, the overall healthcare industry, impacted individuals, state and/or federal investigations, and national security.”).(go back)

19Congress recently passed the Cyber Incident Reporting for Critical Infrastructure (“CIRCIA”) Act, which requires a “critical infrastructure” company to report to CISA any “substantial cyber incident” within 72 hours after it “reasonably believes that the covered cyber incident has occurred.” Cyber Incident Reporting for Critical Infrastructure Act of the 2022 Consolidated Appropriations Act, Pub. L. No. 117-103, div. Y, https://www.congress.gov/bill/117th-congress/house-bill/2471/text. CISA then distributes threat information to relevant parties. 6 U.S.C. § 681e(a)(2)(A). An 8-K filing could interfere with CISA’s ability to control how, when, and to whom the information is conveyed and thus undermine CISA’s “ability to coordinate and disseminate threat indicators and defensive measures in time for others to act on the information.” Letter from BPI et al. at 13. CIRCIA included a “cyber incident reporting council [of which the SEC is a member] ‘to coordinate, deconflict, and harmonize Federal incident reporting requirements . . . .’” Cyber Incident Reporting for Critical Infrastructure Act § 2246(a). (“The Secretary shall lead an intergovernmental Cyber Incident Reporting Council, in consultation with the Director of the Office of Management and Budget, the Attorney General, the National Cyber Director, Sector Risk Management Agencies, and other appropriate Federal agencies, to coordinate, deconflict, and harmonize Federal incident reporting requirements, including those issued through regulations.”). Rather than harmonizing with CISA, the agency with a statutorily mandated rulemaking process, the SEC is barreling ahead without a congressional mandate for its compressed rulemaking timeline.(go back)

20See, e.g., Release at 13 (“Overall, we remain persuaded that, as detailed in the Proposing Release: under-disclosure regarding cybersecurity persists despite the Commission’s prior guidance; investors need more timely and consistent cybersecurity disclosure to make informed investment decisions; and recent legislative and regulatory developments elsewhere in the Federal government . . . will not effectuate the level of public cybersecurity disclosure needed by investors in public companies.”) (emphasis added).(go back)

21Release at 140.(go back)

22Letter from Chamber at 8 (“[T]otal initial yearly costs [likely could be] $317.5M to $523.4M ($38,690 to $69,151 per regulated company), and future annual costs of $184.8M to $308.1M ($22,300 to $37, 500 per company) . . . .”).(go back)

23Release at 157, PRA Table 3.(go back)

24Comment Letter from Biotechnology Innovation Organization (“BIO”) at 14 (May 5, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128401-291312.pdf (“[S]mall companies are seldom targets of cybercriminals but will see the most severe direct and indirect costs associated with complying with the rule and increases in their costs of capital.”).(go back)

25Release at 144 (“The compliance costs of the final rules could be disproportionately burdensome to smaller registrants, as some of these costs may have a fixed component that does not scale with the size of the registrant. Also, smaller registrants may have fewer resources with which to implement these changes.”) (citations omitted). See also Letter from BIO at 14 (“The median employee count for BIO’s members is 19. This includes executives and R&D personnel, such as researchers and lab technicians. These small biotechnology companies do not have the capacity, nor the business need, to have institutional structures related to the management, planning, oversight, and maintenance of cybersecurity related systems and suppliers. These companies should not have to hire extra employees specifically for the purposes of implementing cybersecurity related programs when their main focus for raising capital is to advance research and development of products whose intellectual property is easily searchable in patent libraries.”).(go back)

26Release at 144. Our Office of the Advocate for Small Business Capital Formation noted with concern the absence of tailoring for small companies in the proposal. See Office of the Advocate for Small Business Capital Formation, Annual Report: Fiscal Year 2022 at note 273 and accompanying text, SEC (Dec. 2022), https://www.sec.gov/files/2022-oasb-annual-report.pdf.(go back)

27Release at 108. The release delays compliance with the XBRL requirement by one year. Id. at 109.(go back)

28See, e.g., Comment Letter from Energy Infrastructure Council at 8 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128379-291282.pdf (“The Proposal will likely lead to registrants disclosing granular and specific details about cybersecurity incidents as well as overly detailed information regarding their cybersecurity governance. Accordingly, the Proposal may provide threat actors with a ‘roadmap’ to potential vulnerabilities in registrant’s cyber controls and associate information systems. Prior to engaging with a target, threat actors will often use open-source intelligence (OSINT) to learn more about their target. We can foresee threat actors using SEC disclosures to target registrants they perceive to have unsophisticated cybersecurity programs. For instance, a threat actor may target a registrant that disclosed that it is in the process of implementing cybersecurity policies and procedures, or a registrant that disclosed that its chief information security officer unexpectedly quit, and the position is currently vacant. Additionally, threat actors may target cybersecurity-related personnel that are named in a registrant’s disclosures.”) (citations omitted) (emphasis added); See Letter from National Retail Federation at 11 (“The proposal’s requirement to disclose policies and procedures to manage cybersecurity risks may highlight company vulnerabilities that could be exploited by cyber criminals or competition. . . . It is undoubtably [sic] important for companies to maintain such policies and procedures. Yet it is equally important for them to remain nimble and able to address quickly emerging threats and trends. The level of detail required by the proposal would allow cybercriminals to search for and exploit vulnerabilities in those policies and procedures and prevent the degree of flexibility companies need to change practices and procedures as threats emerge.”).(go back)

29Comment Letter from LTSE Services, Inc. at 2-3 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20129163-295059.pdf (“Unlike the typical Form 8-K event like a change in auditors, or resignation or appointment of a new director or officer, which is an event that is defined in time and largely determined by the company or a director or officer of the company, the determination of the occurrence of a material cybersecurity event is based on facts and circumstances largely out of the control of the company.”); Comment Letter from Debevoise at 2 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128351-291117.pdf (“Items required to be disclosed under current Form 8-K generally: (i) relate to events within a registrant’s control; (ii) events with respect to which a registrant has some advance warning or awareness; and/or (iii) events that are influenced by a registrant’s volitional acts; whereas proposed Item 1.05 would require disclosure of an event that is at its core a matter of registrant reactivity.”); Comment Letter from Energy Infrastructure Council at 7-8 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128379-291282.pdf (“Cybersecurity incidents are fundamentally different from the types of events covered by existing Form 8-K rules. Mandatory Form 8-K triggers generally cover discrete, clearly identifiable events relating to a company’s material transactions, governance or financial position. The occurrence and timing of most 8-K triggers are typically either within the control of the company or reasonably predictable. As acknowledged by the Commission in 2004, reporting on 8-K is intended for ‘unquestionably or presumptively material events.’ Conversely, a cybersecurity attack is by its nature operational, largely outside the company’s control and unpredictable, and certainly not ‘unquestionably or presumptively material.’ . . . Existing rules already require companies to apprise investors of a material operational issue, including a material cybersecurity event. A specific, mandatory 8-K trigger for cybersecurity events inappropriately extends the coverage of Form 8-K to the realm of operational developments, which are more appropriately disclosed in periodic reports or voluntary Forms 8-K, at a point when the information is more fully developed and impacts are better understood.”) (citing 17 C.F.R § 228, 229, 230, 239, 240 and 249 (2004)).(go back)

30Comment Letter from Senator Portman at 3-4 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128391-291294.pdf (“Forcing companies to disclose cyber incidents publicly and before they have a complete understanding of those incidents, mitigate the damage and vulnerabilities, and contain malicious actors presents significant security risks. Nefarious cyber actors—both criminal organizations and nation state actors—are adept at collecting intelligence on their victims and leveraging that information in their attacks and ransomware negotiations. Requiring the disclosure of information on ongoing incidents may allow hackers to identify the ‘crown jewels’ or most valuable information held by an organization amongst vast quantities of data. It could also help attackers improve targeting, gain additional access, effect further damage, and, in the case of ransomware, demand larger ransoms.”) (citations omitted); Comment Letter from Canadian Banker Association (“CBA”) at 6 (May 5, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128288-290991.pdf (“[T]he Proposed Rules may potentially require such service providers to publicly disclose an ongoing and unremediated cyberattack. Such premature disclosure would inhibit the service provider’s ability to respond and could enable bad actors to use the service provider as a vector to attack its customers before the service provider or its customers have had a chance to take remedial measures to mitigate harm.”); see also Letter from Senator Portman at 4 (“[I]f the method of attack is novel involving a ‘zero day’ vulnerability for which no patch exists yet, other organizations which use the vulnerable system or software will also be exposed to attack.”).

[ref no=31]Form 8-K Instructions to Item 1.05 (2) (“To the extent that the information called for in Item 1.05(a) is not determined or is unavailable at the time of the required filing, the registrant shall include a statement to this effect in the filing and then must file an amendment to its Form 8-K filing under this Item 1.05 containing such information within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available.”).(go back)

32Comment Letter from Rapid7 at 3 (August 29, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20137661-308069.pdf (“Publicly disclosing ‘the nature and scope’ of material incidents within four business days risks exposing enough detail of an otherwise unique zero-day vulnerability to encourage rediscovery and reimplementation by other criminal and espionage groups against other organizations.”); Letter from Sen. Portman at 4 (“[I]f the method of attack is novel involving a ‘zero day’ vulnerability for which no patch exists yet, other organizations which use the vulnerable system or software will also be exposed to attack.”); Letter from CBA at 6 (“[T]he Proposed Rules may potentially require such service providers to publicly disclose an ongoing and unremediated cyberattack. Such premature disclosure would inhibit the service provider’s ability to respond and could enable bad actors to use the service provider as a vector to attack its customers before the service provider or its customers have had a chance to take remedial measures to mitigate harm.”); Letter from Rapid7 at 3 (“Announcing that a company has an incident may cause other attackers to probe the company and discover the vulnerability or attack vector from the original incident. If the incident is not yet mitigated, the copycat attackers can cause further harm to the company and its investors. From the CERT Guide to Coordinated Disclosure: ‘[M]ere knowledge of a vulnerability’s existence in a feature of some product is sufficient for a skillful person to discover it for themselves. Rumor of a vulnerability draws attention from knowledgeable people with vulnerability finding skills[.]’”) (citing CERT, Guide to Coordinated Vulnerability Disclosure, 5.7 Disclosure Timing, Sep. 16, 2019,https://vuls.cert.org/confluence/display/CVD/5.7+Disclosure+Timing#id-5.7DisclosureTiming-ReleasingPartialInformationCanHelpAdversaries); Letter from Sen. Portman at 4 (“If the registrant is required to disclose an incident before completing remediation of the vulnerability by which an attacker gained access, other opportunistic attackers may identify and exploit the vulnerability to perpetrate further cyberattacks against the registrant.”).(go back)

33Comment Letter from Quest Diagnostics at 3 (May 9, 2023), https://www.sec.gov/comments/s7-09-22/s70922-20128257-290053.pdf (“Moreover, even if a company believes that a cybersecurity event is material, four business days is insufficient for companies to conduct the necessary investigations to collect the information required by Item 1.05, particularly given the need to engage with internal and external experts. This timeframe seeks to rush out disclosures related to cybersecurity matters without taking into account the circumstances surrounding, and the magnitude and complexity of, any given cybersecurity incident.”).(go back)

34See, e.g., Release at 136 (“[T]he disclosure about cybersecurity incidents and cybersecurity risk management, strategy, and governance could potentially increase the vulnerability of registrants. Since the issuance of the 2011 Staff Guidance, concerns have been raised that providing detailed disclosures of cybersecurity incidents could, potentially, provide a road map for future attacks, and, if the underlying security issues are not completely resolved, could exacerbate the ongoing attack. The concern is that malicious actors could use the disclosures to potentially gain insights into a registrant’s practices on cybersecurity. As a result, the final incident disclosure rules could potentially impose costs on registrants and their investors, if, for example, additional threat actors steal more data or hamper breach resolution.”) (citations omitted); Release at 33 (“While there may be, as commenters noted, some residual risk of the disclosure of an incident’s existence tipping off threat actors, such risk is justified, in our view, by investors’ need for timely information, and similar risk already exists today with some companies’ current cybersecurity incident disclosure practices.”).(go back)

35Id. at 33. The full context of this quotation is the argument that “[t]he reformulation of Item 1.05 also addresses the concern among commenters that the disclosure may be tentative and unclear, resulting in false positives and mispricing in the market.” Id. I am unpersuaded.(go back)

36Id. at 37-38 (“For example, for incidents that impact key systems and information, such as those the company considers its ‘crown jewels,’ as well as incidents involving unauthorized access to or exfiltration of large quantities of particularly important data, a company may not have complete information about the incident but may know enough about the incident to determine whether the incident was material. In other words, a company being unable to determine the full extent of an incident because of the nature of the incident or the company’s systems, or otherwise the need for continued investigation regarding the incident, should not delay the company from determining materiality.”) (emphasis added). See also Comment Letter from Wilson Sonsini at 3 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128337-291094.pdf (“[T]here is a risk that disclosures that are rushed may be too broad and generic or, even more problematic, incomplete, inaccurate and potentially misleading.”); Comment Letter from Davis Polk at 1 (May 6, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128282-290896.pdf (“[W]e expect that registrants will be inclined to report as soon as possible without the benefit of a considered analysis of the impact of the incident on the registrant in light of all of the relevant facts and circumstances giving rise to the event, which may not be known for some time.”); Comment Letter from Debevoise at 2 (“[I]n the aftermath of discovery of a cybersecurity incident: (i) a registrant’s information gathering may be hampered in the midst of, or by, the incident; (ii) information about the incident available to the registrant may be incomplete or inconclusive; and (iii) a registrant’s internal management and compliance resources may be under significant strain.”).(go back)

37See Letter from Davis Polk at 1-2 (“[T]his could lead to investor confusion and the mispricing of the registrant’s securities. The fact that registrants could update their disclosure in subsequent reports . . . will be cold comfort to those investors who may suffer a loss as a result of the mispricing of the registrant’s securities following the initial report.”); see also Comment Letter from American Bar Association at 2 (July 20, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20134430-304137.pdf (“Premature disclosure will cause investors more harm than good because they will be making decisions based on information that is often incomplete or inaccurate and without the full context of updated disclosures of other aspects of the company’s operations.”); Comment Letter from Business Roundtable at 3 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128429-291372.pdf (“Disclosure before determining the nature and magnitude of information accessed (even when enough is known to reasonably expect the incident is material) will also lead to questions the registrant is incapable of answering, leading to additional risks and reputational harm. The confusion and uninformed market speculation resulting from such disclosure will force the registrant to deal with harmful volatility in its stock while trying to manage through the cyber incident.”). The Commission could have resolved this issue by explicitly clarifying that Item 1.05 “only requires issuers to disclose information that is known with a high degree of confidence and is unlikely to change.” Letter from American Investment Council at 5 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128346-291107.pdf.(go back)

38A 2022 study of 1200 large companies worldwide found that less than 1% of cybersecurity breaches are material. In 2021, companies experienced an average of 26.2 cybersecurity incidents per firm, an average of 0.82 of which were material. ThoughtLab, Cybersecurity Solutions for a Risker World at 14, https://thoughtlabgroup.com/wp-content/uploads/2022/05/Cybersecurity-Solutions-for-a-Riskier-World-eBook_FINAL-2-1.pdf. The study defined material breaches as “those generating a large loss, compromising many records, or having a significant impact on business operations.” Id. at 10. 17% of companies in the study were based in the U.S. Id. at 4. See also Comment Letter from Internet Security Alliance at 13-14 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128395-291300.pdf (“For example, a 2022 study of 1,200 large companies by ThoughtLab found the percentage of breaches that were ‘material’ (defined as ‘generating a large loss, compromising many records, or having a significant impact on business operations’) was less than 1% of all breaches – .07 % in 2021 and .08% in 2022.”).(go back)

39Release at 15 (noting that “‘[d]oubts as to the critical nature’ of the relevant information should be ‘resolved in favor of those the statute is designed to protect,’ namely investors”) (quoting TSC Indus., Inc. v. Northway, Inc., 426 U.S. at 448); See also Letter from American Bar Association at 3 (“[I]nclusion of such an instruction would put pressure on a company to draw conclusions about materiality in the immediate aftermath of an incident with incomplete information in order to avoid any claim that the company could or should have known that the incident was material sooner.”).

[ref no=40]See, e.g., Comment Letter from American Petroleum Institute et al. at 7 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128380-291283.pdf.(go back)

41See Form 8-K Instructions to Item 1.05 (3) (“The definition of the term ‘cybersecurity incident’ in 17 CFR §229.106(a) [Item 106(a) of Regulation S-K] applies to this Item.”); see also Item 106(a) of Regulation S-K (“Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”).(go back)

42Proposed Regulation S-K Item 106(d)(2).(go back)

43Comment Letter from U.S. Small Business Administration Office of Advocacy at 1 (May 6, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128275-290621.pdf.(go back)

44Letter from National Retail Federation at 11 (“The proposal’s requirement to disclose policies and procedures to manage cybersecurity risks may highlight company vulnerabilities that could be exploited by cyber criminals or competition. . . . It is undoubtably [sic] important for companies to maintain such policies and procedures. Yet it is equally important for them to remain nimble and able to address quickly emerging threats and trends. The level of detail required by the proposal would allow cybercriminals to search for and exploit vulnerabilities in those policies and procedures and prevent the degree of flexibility companies need to change practices and procedures as threats emerge.”).(go back)

45Comment Letter from Federated Hermes at 4 (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128260-290075.pdf (“[W]e believe that the Commission should provide a reasonable transition period that will give registrants sufficient time to comply with the final rules’ requirements. We recommend a minimum compliance period of at least 24 months, should the Proposal be adopted substantially as proposed.”).(go back)