SEC Proposes Additional Cybersecurity Rules

Written By Haley Metteauer

On March 9, 2022, the Securities and Exchange Commission (“SEC”) issued a proposed rule on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. The SEC will likely vote to finalize the rule before the summer.

Proposed Rule Provisions

Among other things, under the proposed rule, public companies would be required to disclose information about “material cybersecurity incidents”, and policies and procedures related to cybersecurity risk management.

Incident Disclosure

Under the proposed rule, Form 8-K, currently used to govern cybersecurity incident disclosures, would be amended to require publicly registered companies (“registrants”) that experience a “material cybersecurity incident” to disclose the following:

·         The date and time the qualifying incidents are discovered, and a determination as to whether the incident is ongoing;

·         A description of the nature and scope of the incident;

·         Any data that was stolen, altered, accessed, or used for an unauthorized purpose;

·         The effect the incident had on the registrant’s operations; and

·         Whether the incident has been or is currently being remediated.

These disclosures should be made on an amended version of Form 8-K within four business days after a company determines an incident to be “material.” The proposal specifically states the disclosure requirement is triggered upon this determination, not at the upon the incident’s discovery.

A “material cybersecurity incident” is defined as one which is consistent with the established case precedent in securities law. In other words, the information will be deemed material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in conducting their investment decision or if it would “significantly alter the ‘total mix’ of information made available.” The proposal also provides a non-exhaustive list of examples of incidents that may be material.

Additional, items will require registrants to provide the SEC with updated information on a material cybersecurity incident that was previously disclosed in Form 8-K and to disclosure incidents which were not previously deemed “material,” but, are deemed material when aggregated with other “immaterial” incidents.

The required filings would permit investors to gain information about reported incidents on which, at the time of disclosure, registrants may not have had sufficient information or taken action to resolve. These filings require the registrant to document the remedial actions it has taken—or will take—to respond to the incident, which is not information that is required under Form 8-K but would ostensibly be relevant to an investor.

In addition, the form that foreign private issuers of securities utilize for disclosures, Form 6-K, would be amended to add “cybersecurity incidents” as a potential trigger for mandatory filing.

Periodic Disclosures

Under the proposal, companies would be required make periodic disclosures about their policies and procedures to identify and manage cybersecurity risks.

In addition to the requirement to update disclosures, Item 106 would be added to Regulation S-K so that a registrant would be required to:

·         Outline the policies and procedures for identifying and managing risks resulting from an incident or threat, “including whether the registrant considers cybersecurity risks as part of its business strategy, financial planning and capital allocation”; and

·         Disclose:

o   The board’s cybersecurity risk oversight;

o   The role of management in assessing and managing these risks;

o   The cybersecurity expertise of management;

o   The role of management in implementing the registrant’s cybersecurity policies, procedures, and strategies.

In addition, the proposal would amend Item 407 of Regulation SK and Form 20-F to require the registrants to disclose whether any member of their board has expertise in cybersecurity. If members of the board do have expertise, the registrant would be required to disclose the nature and extent of such expertise.

The proposal does not define this expertise, but provides a non-exhaustive list of criteria to consider in making the determination, such as prior work experience in cybersecurity, obtaining a certification or degree in cybersecurity, or possessing “knowledge, skills, or other background in cybersecurity.” Importantly, if a board member is designated to possess “cybersecurity expertise,” the proposal clarifies that they would not be deemed an “expert” for any purpose. 

Considerations for Businesses

The proposal is subject to a 60-day public comment period following the publication of the release on the SEC’s website—or 30 days following publication in the Federal Register, whichever period is longer.

The proposal notes that the amendments are intended to better-inform investors about the risk management, strategy, and governance practices of SEC registrants, and are designed to provide the agency with timely notice of incidents. According to a statement by SEC Chair Gary Gensler, the need for this proposal is significant, considering the emerging and evolving risks from cybersecurity incidents in the United States today.

Public companies which may be subject to this proposed rule should review and update their cybersecurity incident response and disclosure plans, board oversight provisions, and management programs for the governance of vendors and third-party service providers accordingly.

Haley Metteauer
Previous

FTC Mandates Algorithm Destruction for Improper Use of AI
Next

Utah House Unanimously Approves Utah Consumer Privacy Act