Blog
The SEC’s New Proposed Cybersecurity Disclosures: Next Steps for Boards of Directors
The Securities and Exchange Commission is proposing new cybersecurity disclosure rules for public companies. According to the SEC, while public companies have improved their cyber disclosures over time, overall, they have done a poor job of making appropriate disclosures.
Is it a fair assessment by the SEC that companies are doing a poor job? Perhaps. When observing the concern that serious cybersecurity incidents are not being reported, the SEC notes: "Certain cybersecurity incidents were reported in the media but not disclosed in registrant’s filings." When they were reported, the SEC notes a lack of timeliness, specificity, and consistency.
In this article, I will briefly review: How we got here, the scope of the proposed rules, and particular issues directors may want to consider in light of the proposed rules.
Those who are interested in the published comment letters submitted to the SEC can see them here.
In 2018, the SEC issued guidance about how to handle and disclose cyber risks and events. The 2018 guidance reinforced and expanded upon previous guidance issued in 2011. It outlined situations where a company should disclose cybersecurity risks and events.
Since then, the SEC has not been shy about taking enforcement actions as needed. Last year, I wrote about the SEC’s enforcement action against one of the leading providers of title insurance and settlement services for lack of cybersecurity controls and procedures.
That was just one of several enforcement actions and investigations around public company cybersecurity.
In June 2021, the Office of Information and Regulatory Affairs announced its Unified Agenda of Regulatory and Deregulatory Actions, which are short- and long-term regulatory actions that administrative agencies plan to take. The SEC’s cyber initiative was on the list.
Then in March 2022, the SEC officially proposed new rules on cybersecurity risk management, governance, and incident disclosure.
Clearly signaling a shift away from a principles-based disclosure regime to a more prescriptive one, the proposed rules are long and detailed.
Board members can think of the proposed disclosure rules as falling into four categories:
- Cybersecurity incidents (on a current and then updated basis)
- Procedures for identifying and managing cybersecurity risks
- Corporate governance/board oversight
- Management’s role in assessing and managing cybersecurity risks
The SEC is proposing registrants disclose material cybersecurity incidents within four business days “after the registrant determines that it has experienced a material cybersecurity incident” on Form 8-K.
The proposed definition of "cybersecurity incident" is expansive while the definition of "material" remains consistent with its normal use in securities law, which is to say "there is a substantial likelihood that a reasonable shareholder would consider it important" (TSC Industries, Inc. v. Northway, Inc.).
Notably, the proposed rules do not contemplate any exceptions to the four-day rule, including, for example, if law enforcement were to prefer a company not make any disclosure as they are conducting an investigation or attempting to catch a bad actor.
Moreover, it goes without saying that whether and when a company determines that an incident is material will be subject to second-guessing by regulators as well as the plaintiffs bar. The four-day window is arguably extremely short, particularly given the broad definition of "cybersecurity incident":
Cybersecurity incident means an unauthorized occurrence on or conducted through a registrant’s information system that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
Note that the word "jeopardizes" could be taken to mean that some harm might take place, as opposed to actually taking place. The contingent nature of such disclosure is unlikely to be useful to investors, a point expressed well by the Davis Polk comment letter on the proposed rules.
In addition, as both Ernst & Young and PricewaterhouseCoopers note in their comment letters, assessing materiality can take a considerable amount of time. Failing to take enough time to create quality disclosure could lead to disclosure that is of little use to investors.
Proposed amendments to Form 8-K (Item 1.05) also state that an ongoing internal or external investigation related to the cybersecurity incident would not be an excuse for a reporting delay.
As proposed, the new disclosure requirements would include:
- When the incident was discovered and whether it is ongoing
- A brief description of the nature and scope of the incident
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose
- The effect of the incident on the registrant’s operations
- Whether the registrant has remediated or is currently remediating the incident
After the initial report, the proposed rules (proposed Item 106(d)(1) of Regulation S-K) would require disclosures of any material changes, additions, or updates to cybersecurity quarterly on Form 10-Q or annually Form 10-K.
These updating disclosures would include:
- Any material impact of the incident on the registrant’s operations and financial condition;
- Any potential material future impacts on the registrant’s operations and financial condition;
- Whether the registrant has remediated or is currently remediating the incident; and
- Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.
The proposed rules would also require disclosure of "when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate," for example, if a bad actor carries out small but continuous cyberattacks against the same company.
In other words, if these attacks were quantitatively or qualitatively material, a company would need to disclose them in the periodic report.
The scope of this proposed disclosure may be challenging to discern. BDO notes in its comment letter, "[a]bsent clarifying guidance, some may interpret the timeframe to be open-ended (such that registrants would need to track and perpetually aggregate the impact of incidents that span fiscal periods, an outcome which we believe is unlikely to produce meaningful disclosure about material cyber incidents)."
In its proposed rules, the SEC notes that “most of the registrants that disclosed a cybersecurity incident in 2021 did not describe their cybersecurity risk oversight and related policies and procedures.”
The new rules would create disclosures around a public company’s ability to identify and manage cyber risks. These would include whether:
- The registrant has a cybersecurity risk assessment program and if so, provide a description of such program;
- The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
- The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
- The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
- The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
- Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;
- Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and
- Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how
In some ways, this part of the proposal is the most controversial. Many see the required disclosure as a mere fig leaf covering a more serious effort by the SEC to impose cybersecurity-related requirements on public companies, something that is arguably outside the scope of the SEC’s authority.
The proposed rules ask reporting companies to disclose specifics of the board’s role when it comes to cybersecurity risk oversight, including:
- Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
- The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.
Notably, the SEC also wants registrants to disclose the cybersecurity expertise of board of director members, including the name and details of their expertise (Regulation S-K, Item 407(j)).
This is equivalent to the current requirement to name financial experts serving on a company’s audit committee. Clearly, the SEC thinks that having a board member with cybersecurity expertise is as important as having at least one audit committee member who is a financial expert.
This is not, however, a universally shared view. For example, the Society for Corporate Governance notes in its comment letter that "[a]mong other things, the proposed rule will pressure issuers to appoint a technical cybersecurity expert to their boards, regardless of whether it is appropriate for their particular governance needs."
The SEC is not proposing a specific definition for cybersecurity expertise, but it included some items for consideration such as:
- Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
- Whether the director has obtained a certification or degree in cybersecurity; and
- Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.
Importantly, the proposed rules contemplate providing a safe harbor for any named cybersecurity experts on the board of directors by noting that such persons will not be deemed experts with enhanced duties or liabilities for any purpose, including Section 11 of the Securities Act.
The SEC further notes that "[c]onversely, we do not intend for the identification of a cybersecurity expert on the board to decrease the duties and obligations or liability of other board members."
The SEC also wants public companies to describe management’s role in cybersecurity, including, but not limited to:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
- Whether the registrant has a designated chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons;
- The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
- Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
While the SEC has styled this as a disclosure rule, these rules are no doubt designed to pressure public companies to take steps that will bolster their ability to handle cybersecurity risks effectively.
Many elements of the SEC’s proposed cyber disclosures seem reasonable and prudent when analyzed individually; but when taken as a whole, the proposed rules are nothing short of overwhelming.
The proposed rules may be especially overwhelming for smaller public companies, which, as the SEC observes, "Generally provide less cybersecurity disclosure as compared to larger registrants." (Reader, I leave it to you to surmise why this might be.)
Indeed, the SEC implicitly concedes how difficult it is to assess the impact of the proposed rules. For instance, when proposing new rules, the SEC is required to assess their potential economic impact. However, with these new rules, the SEC merely notes that it is "unable to quantify the potential economic effects because we lack information necessary to provide a reasonable estimate." This statement surely applies both to potential benefits and costs.
At the time of writing, it remains to be seen if and to what extent the proposed rules are finalized. A good number of comment letters on a variety of topics were submitted.
As the proposed rules currently stand, there are numerous issues for directors to consider.
1. The Nominating and Governance committee will want to determine whether adding a cybersecurity expert to the board is in shareholders' best interest. As they stand, the proposed rules will apply tremendous pressure to these committees to add a cybersecurity expert, perhaps at the expense of other needed expertise. Wilson Sonsini succinctly expresses the concern in its comment letter:
[B]oard members are expected to manage a wide range of risks that companies face, from cybersecurity risk to geopolitical risks to climate risks to regulatory and litigation risks. Aside from financial expertise, the Commission does not require companies to disclose board members who have specialized expertise in other areas of risk management. Requiring disclosure of cybersecurity expertise distinguishes cybersecurity as though it is a risk that should be managed differently and not within a broader understanding of enterprise risk management. This approach goes against established guidance to companies to integrate and assess cybersecurity risks as part of its overall enterprise risk management. |
2. Companies may need to bolster the efficiency of their disclosure committees. The proposed four-day rule may be unworkable; boards and management nevertheless have to make every effort to comply. Now is the time for companies to review who is on these committees, as well as what resources they have to be able to comply with the SEC’s proposed timeline for disclosure. Although the rule is four days from a materiality determination, the SEC has made it clear that it will have no patience for companies attempting to slow-walk a materiality determination.
3. Companies will want to review how they think about the financial impact of a cyber breach. The four-day rule allows very little time for companies to assess the impact of a cyber incident after it has happened. As a result, the onus will be on companies to attempt to calibrate these costs ahead of time, or at least consider a methodology for doing so.
4. Companies may want to reassess their cyber insurance limits. The cyber insurance market is already under tremendous pressure; the new rules will only add to the burden. In the past, companies have relied on their insurance brokers and other experts to help them assess their potential financial exposure in the case of a breach, but there was not much pressure to purchase limits of insurance commensurate with these levels of exposure. The SEC’s push for disclosure about how companies assess and manage their cyber risk will put pressure on companies to purchase more cyber insurance than they have in the past. Working with an expert when it comes to cyber insurance will be key to creating an appropriately sized cyber insurance risk management program. For more on this, check out our Cyber Liability Insurance Buying Guide.
The SEC’s seriousness about cyber-related disclosure is, no doubt, warranted. It remains to be seen whether the SEC will take into account some of the concerns raised by the myriad comment letters submitted for consideration. In any case, it is clear that the SEC is committed to implementing a version of the proposed rules. Boards will want to be sure that their companies are starting to take steps towards compliance now.
Author
Table of Contents