SEC Proposes New Cybersecurity Disclosure Requirements for Public Companies

March 23, 2022

The SEC’s Rule Proposals Aim to Assist Investors

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” These proposed rules come in the wake of the SEC’s February 9 proposal related to cybersecurity risk management for registered investment advisers and funds and reflect a concerted effort by the SEC to protect investors from the growing risk of cybersecurity incidents. In the past, public companies have looked to guidance (rather than rules) issued by the SEC in 2011 and 2018 related to cybersecurity disclosures, but the SEC hopes the new proposed rules will provide investors with more timely and consistent information about breaches and the steps public companies are taking to prevent cybersecurity incidents.

Among other things, the proposed rules provide for the following:

1.) Public companies must report material cybersecurity incidents within four days of the company’s determination that a cybersecurity incident was material.

The proposal would amend Form 8-K to add a new Item 1.05. Notably, the timeframe for reporting a material cybersecurity incident is tied to the date the company determines the cybersecurity incident is material, not the date the company discovers the cybersecurity incident. Further, public companies should take note that the proposal does not provide an exception to the four-day reporting deadline for ongoing internal or external investigations. The SEC believes that:

“Any such delay provision could undermine the purpose … of providing timely and consistent disclosure of cybersecurity incidents given that investigations and resolutions of cybersecurity incidents may occur over an extended period of time and may vary widely in timing and scope.”

Under the proposal, each disclosure regarding a material cybersecurity incident would include:

  1. When the incident was discovered and whether it is ongoing
  2. A brief description of the nature and scope of the incident
  3. Whether any data was stolen, altered, accessed or used for any other unauthorized purpose
  4. The effect of the incident on the company’s operations
  5. Whether the company has remediated or is currently remediating the incident.

Some critics have already voiced concerns that these disclosures will open up companies to further attacks, but the SEC is generally dismissive of these concerns—arguing that because companies are not required to provide specifical, technical information regarding the incidents, the risk of providing a roadmap to other attacks is minimal.

2.) Public companies must update previously reported cybersecurity incidents and reveal if any cybersecurity incidents that were previously deemed immaterial are now considered material in the aggregate.

The proposal would add a new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F. Pursuant to these items, public companies would disclose material changes, additions or updates and information about the effect of the previously reported cybersecurity incidents on their operations as well as descriptions of remedial steps they have taken, or plan to take, in response to the incidents that were not available at the time of the initial Form 8-K filing. Further, if a previously undisclosed individually immaterial cybersecurity incident becomes material in the aggregate, the public companies would disclose the incident.

3.) Public companies must disclose their policies and procedures to identify and manage cybersecurity risk and their boards’ oversight of cybersecurity risks.

The proposal would add a new Item 106(b) and (c) of Regulation S-K and Item 16J of Form 20-F. In addition to disclosing their policies and procedures, public companies must disclose if they engage assessors, consultants, auditors or other third parties in connection with any cybersecurity risk assessment program, whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risk, the processes by which the board is informed about cybersecurity risks, the frequency of its discussions on this topic, and whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

4.) Public companies must disclose their management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.

The proposal would amend Item 407 of Regulation S-K by adding paragraph (j) to require disclosure about the cybersecurity expertise of members of the boards of directors, if any. The relevant disclosure would include the names of such directors and the nature of their expertise. If the proposal is finalized, this requirement could put a premium on finding directors with cybersecurity experience.

In addition, the SEC’s proposal would amend Form 20-F to require foreign private issuers to provide the same types of disclosures regarding cybersecurity risk management and strategy, governance, and incidents and would amend Form 6-K to add “cybersecurity incidents” as a reporting topic.

Proposed Ruled Changes Could Lead to Substantial Burdens

KJK will be carefully following the ongoing public comment period for the proposed rules. If implemented, these rules will impose substantial burdens on registrants and inevitably shape the future of registrants’ cybersecurity programs. In the interim, companies should begin reviewing the board’s involvement in managing cybersecurity matters and making appropriate adjustments to facilitate disclosure when the proposed or modified rules are adopted. If you have any further questions regarding the content of this article, please contact Andrew Wilber (AJW@kjk.com; 216.736.7298) or Christopher Hubbert (CJH@kjk.com; 216.736.7215).