The Story So Far With The New SEC Proposed Rules
In March 2022, the Securities and Exchange Commission (“SEC”) announced proposed amendments to its rules (“Proposed Rules”) concerning cybersecurity disclosures for publicly traded companies (“issuers”).
The SEC proposes to adopt rules that will prescribe the format and timing of disclosure of cybersecurity risk management, strategy, governance and incidents, which will supplement its existing disclosure framework. It is likely that the final rules will be published no earlier than late fall 2022, with an effective date of several months after the date of publication.
Some of the proposed rules include:
Cybersecurity Incident Disclosures
The SEC intends to require that issuers disclose cybersecurity incidents and provide specified information about them in a filing with the SEC within four business days after a company determines that the incident is “material.” Such a determination of materiality must be made “as soon as reasonably practicable after discovery of the incident.”
To the extent known, that filing should include details about the incident, including when it was discovered; whether it was ongoing; whether any data was stolen; any effect on operations; and whether the incident has been remediated.
Recognizing that faster disclosure might provide only limited information before an investigation is complete, the SEC also intends to require issuers to update those disclosures periodically in its quarterly filings (or the issuer’s annual report for a Q4 event). The Proposed Rules do not permit delayed reporting where doing so would facilitate a law enforcement investigation or be permissible under State law if notification would impede a civil or criminal investigation, choosing instead to favor getting information to investors more quickly.
The Proposed Rules note that “a series of previously undisclosed individually immaterial cybersecurity incidents" can "become material in the aggregate” and therefore also mandates disclosure in such circumstances.
Risk Management and Governance Disclosures
The Proposed Rules require disclosure about cybersecurity risk management and governance, including periodic reporting of:
The Board of Directors' oversight of cybersecurity risks, including the (i) process by which the board is informed about cybersecurity risks, (ii) the frequency of discussions on the topic; and (iii) the cybersecurity expertise of board members.
Management’s role and expertise in assessing and managing cybersecurity risks and implementing policies, procedures and strategies. This includes whether certain management positions are responsible for measuring cybersecurity risk and their relevant cybersecurity expertise.
A company’s policies and procedures to identify and manage cybersecurity risks, including the existence of a risk assessment program, and the engagement of any third-party auditors or consultants, and the steps taken to prevent, detect, and minimize the effects of cybersecurity incidents.
Emerging Risk Focus Areas
The agency's release about the proposed rule also highlighted other particular areas that pose increased cybersecurity risk.
Remote Work. The SEC identifies “the prevalence of remote work” as increasing cybersecurity risk. Companies will likely be required to assess how the cybersecurity risks are addressed.
Third Party Vendor Risk. The SEC notes that “cybersecurity incidents involving third party service provider vulnerabilities are becoming more frequent.” The Proposed Rule “would require disclosure concerning a registrant's selection and oversight of third party entities as well.”
Privacy Rules and Harm to Customers. The SEC identified “harm to employees and customers, violation of privacy laws, and reputational damage that adversely affects customer or investor confidence” as disclosable incidents. This category illustrates the increasing intersection of risks from various regulatory regimes that previously operated in siloes.
As can be gleaned from the SEC Fact Sheet, the Proposed Rules stem from the SEC’s desire for “more timely and consistent disclosure” about material cybersecurity risks, allowing for “greater availability and comparability of disclosure” for investors about those risks. The SEC considered other forms and timing of disclosures, including on a quarterly cadence or through company websites, but believes that those approaches lack consistency and usefulness to investors. The Proposed Rules observe that some cybersecurity incidents are reported in the media but not in an issuer’s filings with the Commission; to the extent that issuers have disclosed such cybersecurity incidents in Commission filings, such disclosures have contained different levels of specificity about the cause, scope, impact and materiality of incidents. Therefore, the SEC is aiming to lower the threshold — and accelerate the time — for filing an 8-K for a cyber incident as compared to what the SEC views as the current practice. The Proposed Rules are designed to address the SEC’s concern that issuers have not consistently, rapidly, or comprehensively disclosed material cybersecurity events, nor have they adopted adequate cybersecurity measures and governance practices.
It is important to note that an emerging theme among global cybersecurity laws and regulations are aggressive requirements for companies to promptly report data security incidents. For example, on March 16, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This new law will require covered companies to report cyber incidents to the federal government (specifically, to CISA) within 72 hours of discovering the incident. The law also requires that companies report all ransomware payments within 24 hours of making the payment. Many of the details will be developed through a regulatory process. It is also important to remember the European context.