SEC proposes mandatory cybersecurity disclosures

On March 9, 2022, the Securities and Exchange Commission (the SEC) proposed amendments to certain rules regarding cybersecurity disclosure in order to standardize and to enhance disclosures made by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the Proposal).¹ The Proposal follows on the heels of a recent SEC proposal designed to enhance the cybersecurity practices at investment advisers and SEC-registered investment companies (Funds),² and both proposals are part of a broader effort to increase focus on cybersecurity.

If adopted, the Proposal would require:

• Reporting of material cybersecurity incidents within four business days on Form 8-K;
• Periodic disclosures regarding (i) a registrant’s policies and procedures used to identify and manage cybersecurity risks, (ii) management’s role in implementing cybersecurity policies and procedures, (iii) the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk, and (iv) updates about previously reported material cybersecurity incidents; and
• Companies to make cybersecurity disclosures in Inline eXtensible Business Reporting Language (XBRL).

The SEC—noting that current cybersecurity disclosure practice is not consistent, comparable, or useful to investors—aims to strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting in today’s digitally connected world.

Background and current practice 

Currently, there are no specific disclosure requirements provided under Regulation S-K and Regulation S-X that require public companies to disclose any cybersecurity risks or incidents. Yet, as the importance and frequency of cybersecurity incidents increased, the SEC and staff issued two sets of interpretive guidance discussing cybersecurity risk: (i) interpretive guidance issued by the Division of Corporation Finance in 2011 (the 2011 Staff Guidance), and (ii) interpretive guidance issued by the SEC in 2018 (the 2018 Interpretive Guidance). The 2011 Staff Guidance provides the Division of Corporation Finance’s views about what cybersecurity incidents and risks may trigger disclosure obligations. The 2018 Interpretive Guidance reinforces and expands the 2011 Staff Guidance by addressing the significance of cybersecurity policies and procedures, and discusses insider-trading prohibitions in the context of cybersecurity.

Proposed amendments

General

The Proposal provides amendments to certain rules and forms by creating new line items; however, the Proposal focuses on disclosures made on Form 8-K.

Impact on forms

• Form 8-K:  The Proposal would add “Item 1.05” to Form 8-K, which requires registrants to disclose any “material” cybersecurity incident within four business days. That four-day window would begin when the registrant decides such incident is material. Moreover, registrants would need to describe the nature and severity of the incident. Specifically, Item 1.05 would require disclosure of the following:
   
  • When the incident was discovered and whether it is ongoing;
  • A brief description of the nature and scope of the incident;
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • The effect of the incident on the registrant’s operations; and
  • Whether the registrant has remediated or is currently remediating the incident.

A registrant may use this list to help determine whether an incident was material—i.e., whether “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if information about an incident would have “significantly altered the ‘total mix’ of information made available.”

The SEC in its proposal also provides a non-exclusive list of cybersecurity incidents that may, if determined by the registrant to be material, trigger the disclosure requirement:

• An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network), or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
• An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
• An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered or stole sensitive business information, personally identifiable information, intellectual property, or information that resulted, or may result, in a loss or liability for the registrant;
• An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
• An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

It is important to note that even incidents that do not impact personal information could trigger reporting obligations under the Proposal.

Lastly, Item 1.05 does not provide for a reporting delay when there is an ongoing internal or external investigation related to a cybersecurity incident. The SEC does note that it would not expect a registrant to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities, to the extent that such disclosure could cause increased risk or impede any response to or remediation of the incident.

• Form 10-K and Form 10-Q: The Proposal would require registrants to provide updated disclosure relating to the cybersecurity incidents previously disclosed on Form 8-K. The proposal would also require disclosure if a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate, to the extent such incidents are known to management.

Furthermore, the Proposal would amend Regulation S-K by adding new “Item 106” and amending “Item 407” to require registrants to disclose:

• Policies and procedures, if any, for identifying and managing cybersecurity risks; and
• Information related to cybersecurity governance (including the board of directors’ oversight role and management’s role and relevant expertise).

• Form 20-F: The Proposal would require foreign private issuers to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure if a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate, to the extent such incidents are known to management.
   
• Form 6-K:  The Proposal would add “cybersecurity incidents” as a reporting topic.

Application to business development companies

• The Proposal currently has no exclusions for business development companies (BDCs); however, the SEC requested comments discussing whether the Proposal should be applicable to BDCs. Therefore, it is unclear whether if passed it would apply to BDCs in full or in part, if at all.³

^​Reporting format

• The Proposal also would require registrants to make disclosure in XBRL format.

Comment period

The public comment period will remain open by May 9, 2022 or 30 days following publication of the proposing release in the Federal Register, whichever is later.

Comments submitted to date are available on the SEC’s website.⁴

Conclusion

The Proposal standardizes cybersecurity-related disclosure to ensure that all registrants disclose information in a consistent, comparable, and decision-useful manner, as currently this type of disclosure varies widely in practice and registrants provide information about the cause, scope, impact, and materiality of cybersecurity incidents at different levels of specificity.

We expect that proposed rules would affect all reporting companies that are filing Forms 8-K, 10-K, 10-Q, 20-F, or 6-K, and proxy statements.  Therefore, we believe that it is important for registrants to consider (i) reviewing and implementing policies and procedures related to cybersecurity-incident detection and reporting, taking into account the proposed rules, (ii) the additional costs of implementing the reporting and oversight mechanisms required by the Proposal, and (iii) providing trainings to directors and senior management on cybersecurity-related risks and oversight.

Cynthia M. Krus | Email | +1 202 383 0218
Dwaune L. Dupree | Email | +1 202 383 0206
Lea H. Schild | Email | +1 202 383 0310
C. Erdi Yildirim | Email | +1 202 383 0342

_____

¹ https://www.sec.gov/rules/proposed/2022/33-11038.pdf.

² For more information on this rule proposal that applies to investment advisers and Funds, see Eversheds Sutherland’s recent legal alert, SEC cybersecurity risk management rules for investment advisers, funds and business development companies, available at https://us.eversheds-sutherland.com/NewsCommentary/Legal-Alerts/249043/SEC-proposes-cybersecurity-risk-management-rules-for-investment-advisers-fundsand-business-development-companies.

³ To the extent that the Proposal may apply to BDCs, any new disclosure requirements would be in addition to the requirements BDCs would be subject to under the SEC’s recent rule proposal calling for enhanced cybersecurity practices, if adopted. See footnote 2 for more information.

⁴ https://www.sec.gov/comments/s7-09-22/s70922.htm

If you have any questions about this legal alert, please feel free to contact any of the attorneys listed under Related People/Contributors or the Eversheds Sutherland attorney with whom you regularly work.