SEC Enhancing Disclosure Requirements For Cybersecurity – Technology

Over the last few years, the Securities and Exchange Commission
(the "SEC" or "Commission") has issued guidance
and proposed rules to enhance existing cybersecurity disclosure
requirements, and that trend continues in 2022. The SEC first issued cybersecurity-related guidance in
2011, when the SEC's Division of Corporation Finance
described how to disclose cybersecurity risks and incidents, and again in 2018, when the SEC provided
interpretive guidance to reinforce and expand the 2011 staff
guidance. This year, the Commission has already waded into the
cybersecurity rulemaking arena twice in substantial ways.

First, on February 9 the SEC proposed a cybersecurity-related
rule, Rule 206(4)-9 to the Investment Advisers Act of 1940, that
would impose additional requirements on registered investment
advisers related to preventative cyber risk management, reporting
and disclosure requirements, and record keeping. For Akerman's
insight into this proposed rule, see Akerman's Practice Update "SEC's New
Proposed Rules Contain Changes for Investment Advisers of
Private Funds" (February 22, 2022).

And second, on March 9 the SEC issued a 129-page
cybersecurity-related proposed rule that would require
companies to disclose cybersecurity incidents more quickly; update
prior disclosures of cybersecurity incidents as needed;
periodically describe their risk governance and management
strategies; report whether their management or directors have
cybersecurity expertise; and provide the proposed disclosures in
Inline eXtensible Business Reporting Language ("Inline
XBRL"), among other things ("Proposed Rule").
Specifically, in a 3-1 vote along party lines, the Commission
proposed that public companies that are subject to the reporting
requirements of the Securities Exchange Act of 1934 be required
to:

• Report "material cybersecurity incidents" on Form 8-K
  within four business days of determining that an incident is
  material;
• Update and provide more detail about previously reported
  cybersecurity incidents on Forms 10-K and 10-Q;
• Disclose the company's policies and procedures to identify
  and manage cybersecurity risks, management's role in
  implementing cybersecurity policies and procedures, and the
  board's oversight of cybersecurity risks on Form 10-K; and
• Disclose whether any board member has cybersecurity expertise
  in proxy statements and annual reports.

The Proposed Rule is intended to enhance and standardize
disclosures regarding cybersecurity risk management, strategy,
governance, and incident reporting by public companies. In
announcing the Proposed Rule, SEC Chair Gary Gensler said that
"companies and investors alike would benefit if this
information were required in a consistent, comparable, and
decision-useful manner." Key elements of the Proposed
Rule, and their potential benefits and concerns, are discussed in
detail below.

Prompt and Standardized Disclosure of Material Cybersecurity
Incidents

Under the Proposed Rule, upon determining that an incident is
"material," a public company would have four business
days to disclose it in an amended Form 8-K. The Commission said
that determining "materiality" for purposes of
cybersecurity incident disclosure would be consistent with its
previous standards for materiality, and cited to TSC
Industries, Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976),
Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988), and
Matrixx Initiatives, Inc. v. Siracusano 563 U.S. 27
(2011). The Proposed Rule provides a non-exclusive list of examples
of cybersecurity incidents that may trigger the proposed disclosure
requirement if determined to be material by a public company.

A company that makes a determination that an incident is
material would have four business days to report the following
information to the Commission under new proposed Item 1.05 of Form
8-K:

• when the incident was discovered, and if it is continuing; the
  scope and nature of the incident;
• if any data was stolen, altered, accessed, or used for an
  unauthorized purpose;
• the impact on operations; and
• if the company has remediated or is currently remediating the
  incident.

Current reports on Form 6-K that are required of foreign private
issuers instead of Form 8-K would also be amended to add
"cybersecurity incidents" as an item that may trigger a
Form 6-K. The Proposed Rule would not require companies to disclose
specific technical details about any breaches or remediation
efforts (which may risk providing hackers with information to use
in future cyberattacks), but aims to inform investors about
incidents that could negatively impact a business through
interruptions, extortion, reputational harm, stock declines, or
lost revenue. Additionally, internal or external ongoing
investigations (including law enforcement investigations) into the
cybersecurity incident would not be grounds for a company to delay
reporting the incident, even if it was otherwise permitted to delay
providing public notice under applicable state law. Lastly, it is
important to note that failure to timely file a Form 8-K for a
cybersecurity incident would not result in a loss of Form S-3
eligibility.

Updated Disclosures of Previous Incidents

Under the Proposed Rule, public companies would also be required
under proposed Item 106(d) of Regulation S-K to provide updated
disclosures about any previously disclosed cybersecurity incidents
in their periodic reports to meet these new requirements, for as
long as there are material changes during a given reporting period.
The Proposed Rule provides the following examples of the type of
updated disclosures that should be provided:

• any material impact of the incident on the company's
  operations and financial condition;
• any potential material future impacts on the company's
  operations and financial condition;
• whether the company has remediated or is currently remediating
  the incident; and
• any changes in the company's policies and procedures as a
  result of the cybersecurity incident, and how the incident may have
  informed such changes.

Further, to the extent known to management, the company must
also provide disclosure when any series of previously undisclosed
incidents has become material in the aggregate. The Commission
noted that this requirement to update previous disclosures is a
recognition that a company's understanding of a cybersecurity
incident will likely evolve over time (e.g., they may gain a better
understanding of the scope of the incident, whether customer data
was compromised, the impact on operations, and whether remediation
efforts were effective). This proposed requirement for companies to
disclose updated information allows investors to stay informed as
the company's knowledge of the event evolves.

Cybersecurity Risk Management, Strategy and Governance

In addition to requiring prompt and standardized disclosures
about cybersecurity incidents, the Proposed Rule also aims to
enhance and standardize public companies' disclosures about
cybersecurity risk management, strategy, and governance. In its
Proposed Rule, the Commission noted that Division of Corporation
Finance staff observed that most companies that disclosed a
cybersecurity incident in 2021 did not also describe their risk
oversight or any related policies and procedures and may have only
provided general disclosures. The Proposed Rule would require
companies to provide more detail. Specifically, companies would be
required to describe their policies and procedures to identify and
manage cybersecurity threats, including whether cybersecurity is a
part of its business strategy, financial planning, and capital
allocation; and to disclose information in their annual reports and
certain proxy filings about the board's oversight of
cybersecurity risk. The Proposed Rule provides specific
requirements regarding applicable disclosure.

Another important aspect of the Proposed Rule relates to the
board's oversight of cybersecurity risk. Proposed Item 106(c)
of Regulation S-K would require a discussion, as applicable, of the
following:

• whether the entire board, specific board members or a board
  committee is responsible for the oversight of cybersecurity
  risks;
• the processes by which the board is informed about
  cybersecurity risks, and the frequency of its discussions on this
  topic; and
• whether and how the board or board committee considers
  cybersecurity risks as part of its business strategy, risk
  management, and financial oversight.

Proposed Item 106(c) would require companies to disclose
management's role and specific expertise in managing that risk,
and in implementing the appropriate policies and procedures,
including the processes by which the board is informed about
cybersecurity risks.

The Commission believes that providing more detail about
company's policies, procedures, and strategies for mitigating
cyber risks will be useful for investors to make more informed
decisions. In addition, companies would be required to provide a
description of their board's cybersecurity expertise (e.g.,
work experience in cybersecurity, including as an information
security officer, security policy analyst, security auditor,
security architect or engineer, security operations, incident
response manager or business continuity planner; or certification
or degree in cybersecurity).  Of note, the Proposed Rule
would require disclosure of the name of any director having
cybersecurity expertise and a description of the nature of the
expertise. 

The Proposed Rule would also amend the annual report on Form
20-F applicable to foreign private issuers to require the same
types of disclosure relating to risk management, strategy and
governance discussed above.

Potential Benefits of Proposed Rule

As Chairman Gensler stated, the Proposed Rule could have
benefits for both companies and investors. For example:

• With this Proposed Rule, companies dealing with the aftermath
  of a cybersecurity breach would have improved, uniform guidance
  about what to disclose and how to disclose it.
• By requiring quicker and more uniform responses, companies
  would understand how to best address cybersecurity incidents, and
  as a result, investors can trust that material cybersecurity
  incidents will be disclosed promptly and with important details
  about how the breach may impact the company.
• The additional focus on disclosing the cybersecurity experience
  of directors and management's cybersecurity governance may
  encourage companies to seek out directors and executives with those
  skills, which could lead to enhanced cybersecurity knowledge and
  experience at companies. This could offer companies more protection
  from cybersecurity incidents.
• By requiring the disclosure of a company's board
  cybersecurity expertise, the SEC may be signaling that it wants
  companies to have at least one board member who is a cybersecurity
  expert. This may be similar to the way the Commission encourages an
  issuer to have at least one "audit committee financial
  expert" on its audit committee (and if there is not such an
  expert, the issuer must explain why in its disclosures).

Potential Negatives of Proposed Rule

Despite the good intentions of the new disclosure requirements,
companies may find them burdensome and challenging to implement.
The Proposed Rule raises many potential issues, including:

• Is it realistic to require companies to comply with a four
  business day deadline from the determination that a cybersecurity
  incident is material to then determining how to properly disclose
  it?
• Is this deadline an arbitrary timeframe that puts the desires
  of investors to know about cyber incidents ahead of companies'
  ability to accurately understand and disclose them? Similarly,
  could the four business day deadline force companies to rush to
  make improper materiality determinations?
• Could a company seeking to comply with the rules err on the
  side of disclosure and unnecessarily disclose a cyber incident that
  is later determined to be non-material?
• Would the rush to meet the four business day disclosure
  requirement and the potential for generic and possibly misleading
  disclosure in the Form 8-K ultimately undermine investors'
  ability to rely on these disclosures?
• Despite the SEC's comment that it does not expect companies
  to disclose system vulnerabilities and specific technical responses
  to cybersecurity incidents, could the four business day disclosure
  requirement inadvertently encourage other bad actors to attack a
  company's cybersecurity systems?
• How will companies reconcile the SEC's four business day
  turnaround with overlapping and possibly conflicting notification
  requirements to the multiple agencies that can govern cybersecurity
  breaches, as well as state or local laws that may mandate that
  customers or other affected persons be notified in the event of a
  breach?

Conclusion

While the SEC's most recent Proposed Rule continue its
efforts to enhance investors' ability to understand the impact
of cybersecurity incidents on public companies, it remains to be
seen whether companies will be able to comply with this Proposed
Rule.  

The SEC is likely to receive significant commentary from both
companies and the investing public during the rulemaking process.
The public comment period is open through May 9, 2022.  In the
meantime, public companies should take this opportunity to assess
how their cybersecurity policies and procedures align with the
reporting requirements of the Proposed Rule and how they can begin
to close the gap.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Comments are closed.