Cydney S. Posner is Special Counsel at Cooley LLP. This post is based on her Cooley memorandum.
At an open meeting on Wednesday last week, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. In his statement at the open meeting, Commissioner Jaime Lizárraga shared the stunning statistics that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade and total costs across the U.S. economy could run as high as trillions of dollars per year. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. Although a number of changes to the proposal were made in the final rules in response to objections that the proposal was too prescriptive and could increase companies’ vulnerability to cyberattack, the basic structure remains the same, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Here are the final rule, the fact sheet and the press release.
Of course, the SEC’s concerns about cybersecurity disclosure are not new. In 2018, the SEC issued long-awaited guidance on cybersecurity disclosure. The guidance addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. That guidance built on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding, in particular, new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 staff guidance—and hardly more compelling. (See this PubCo post.) Moreover, although there were improvements in disclosure following release of the guidance, concern mounted that company disclosures were not consistent, comparable or decision-useful, with “different levels of specificity regarding the cause, scope, impact and materiality of cybersecurity incidents.” In addition, cyber risks had escalated during and after the pandemic with more remote work, together with more widespread reliance on third-party service providers and “rapid monetization of cyberattacks facilitated by ransomware, black markets for stolen data, and crypto-asset technology.”
READ MORE »
