SEC Releases Proposed Rules on Enhanced Cybersecurity Disclosures

The Commission noted in its announcement of the Proposed Rules that companies currently provide different levels of specificity regarding cybersecurity incidents, such as an incident’s cause, scope, impact and materiality. Additionally, the Commission observed that some cybersecurity incidents were not disclosed in a registrant’s filings, but were otherwise reported in the media. The Commission also commented that, at times, existing cybersecurity disclosures were mixed with other unrelated disclosures, making it difficult for investors to locate and assess the registrant’s supposed cybersecurity disclosures. As a result, the Proposed Rules seek to address concerns regarding the rise of cybersecurity threats to public companies in both frequency and severity, and the lack of uniformity of existing rules regarding disclosures of cybersecurity incidents and policies.

The comment period for the Proposed Rules expires on the later of (i) thirty (30) days after they are published in the Federal Register or (ii) May 9, 2022 (i.e., sixty (60) days after issuance). Although the Proposed Rules may change before becoming effective, public companies should commence reviewing and addressing any concerns between their own cybersecurity policies and procedures and those being proposed.

Disclosure of Material Cybersecurity Incidents

The Proposed Rules, if adopted, would amend the Form 8-K to require registrants to disclose information regarding any cybersecurity incident within four (4) business days after determining that such incident is material. To the extent known at the time of filing, the registrant’s disclosure must include: “(1) when the incident was discovered and whether it is ongoing; (2) a brief description of the nature and scope of the incident; (3) whether any data was stolen, altered, accessed, or used for any other unauthorized purpose; (4) the effect of the incident on the registrant’s operations; and (5) whether the registrant has remediated or is currently remediating the incident.” The Commission does not expect registrants to disclose technical information relating to its response to any such cybersecurity incident or any potential vulnerability that would impede remediation efforts. However, any investigation into any material cybersecurity incident does not permit a registrant to delay its disclosure obligations under the Proposed Rules, even if it is otherwise permitted to do so under state law.

The Commission also confirmed that “materiality” for purposes of the Proposed Rules would be consistent with applicable case law. In short, information is “material” if “there is a substantial likelihood that a reasonable shareholder would consider it important” when making an investment decision, or if such information would “significantly alter the ‘total mix’” of information available to investors. The Commission further emphasized that a registrant should not engage in a rigid exercise when determining materiality; but instead, conduct an objective analysis, viewing the totality of information, using both quantitative and qualitative factors related to a cybersecurity incident. In terms of the timing, the Commission expects registrants to make a materiality determination “as soon as reasonably practicable” after it discovers a cybersecurity incident.

Lastly, Forms 10-Q and 10-K would also be amended to require updated disclosures relating to previously disclosed cybersecurity incidents or any new material cybersecurity incidents, including when a series of undisclosed individual immaterial cybersecurity incidents becomes material in the aggregate. The Commission notes that this requirement would balance the necessity of prompt disclosure with the fact that registrants may have incomplete information of a cybersecurity incident when such incident is deemed material.

Disclosure of Cybersecurity Risk Management, Strategy, and Governance

In addition to reporting cybersecurity incidents, if adopted, the Proposed Rules would also obligate registrants to disclose their cybersecurity risk oversight policies and procedures. For example, such disclosure may entail a registrant’s cybersecurity risk assessment program and the related activities its takes which are aimed at detecting and preventing cybersecurity incidents, including those involving by third parties. Additionally, a registrant must disclose cybersecurity incidents or risks which have affected or are reasonably likely to affect results of operations and/or financial condition. In sum, the Commission believes that these disclosures will allow investors to better determine the registrant’s risk profile with respect to cybersecurity incidents.

The Proposed Rules also would require disclosure of a registrant’s cybersecurity governance policies, including board oversight procedures. For example, such a disclosure may include whether the board itself, specific board members, or a board committee is responsible for the cybersecurity oversight, and detail the process by which the board is informed about cybersecurity risks and incidents. Additionally, the Proposed Rules requires a similar description of management’s role with respect to cybersecurity incidents and risks. For example, disclosing whether certain management positions are responsible for managing cybersecurity risks (such as a Chief Information Security Officer), and the process by which such persons monitor, mitigate and remediate any cybersecurity incidents.

Disclosure of Board of Director’s Cybersecurity Expertise

To the extent applicable, the Proposed Rules also would add an additional disclosure requirement in certain proxy filings with respect to the cybersecurity expertise of members of the registrant’s board. While the Proposed Rules does not define “cybersecurity expertise,” the Commission provides certain non-exclusive examples, such as a director’s prior work experience, certification or degrees related to cybersecurity, or any skills or other background in cybersecurity. The Commission also emphasized that a cybersecurity expert will not be deemed an expert for any other purpose, and such a classification will not impose or diminish any duties, obligations and liability on such directors under securities law.