SEC Proposes Rules to Increase Reporting About Cybersecurity Incidents
As outlined by the Securities and Exchange Commission (SEC) in its proposed changes to rules regarding disclosure of cybersecurity incidents (Proposed Amendments), there has been a steady increase in cyberattacks, some of which have had devasting effects on businesses, consumers, and investors. The SEC proposal is premised on the belief that investors would benefit from more timely and consistent disclosure about material cybersecurity incidents and greater availability and comparability of disclosure by public companies.
The Proposed Amendments note the significant economic costs associated with cybersecurity incidents. The costs involve business interruption, lost revenue, forensics investigations, damage to digital infrastructure, extortion payments, disclosure of personal and proprietary information, notification and remediation services to affected consumers, regulatory inquiries and enforcement actions, and potential third-party litigation. These costs and liabilities may cause reputational damage, which, compounded with the costs of system restoration and consumer remediation, can damage a company’s stock price and shareholder value.
A key provision of the Proposed Amendments would amend Form 8-K to require companies to disclose information about material cybersecurity incidents within four business days after determining that the incident is material. The amended Form 8-K would require disclosure of the following information about the incident, to the extent known at the time of filing:
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the company's operations; and
- Whether the company has remediated or is currently remediating the incident.
Importantly, this proposed rule uses a broad definition of cybersecurity incident as “an unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.”
The SEC’s Regulation S-K provides requirements for public company disclosures. The Proposed Amendments would add Item 106 to Regulation S-K resulting in various new disclosure requirements, including:
- Updated disclosures in periodic reports about previously reported cybersecurity incidents via amendments to Forms 10-Q and 10-K;
- Identification of policies and procedures for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity risks as part of its business strategy, financial planning, and capital allocation;
- Disclosure about the board’s oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies.
In addition, the Proposed Amendments seek to amend Item 407 of Regulation S-K to disclose whether any board members have expertise in cybersecurity, and if so, the nature of such expertise.
The Proposed Amendments also include increased reporting for Foreign Private Issuers (FPIs), which have different regulatory guidelines to follow and forms to file. For example, FPIs are currently not required to file reports on Form 8-K, which are required for domestic public companies. The proposal includes an amendment to Form 6-K, which is used by FPIs providing disclosures to the SEC, to add “cybersecurity incidents” as a reporting topic. The proposal also seeks to amend Form 20-F, which calls for the submission of an annual report within four months of the end of a company's fiscal year, to provide cybersecurity disclosures in their annual reports that are consistent with the disclosures proposed for domestic companies.
The window for public comments on the Proposed Amendments was projected to close on May 9, 2022, however, it appears comments were submitted as recently as July 20, 2022, with the portal to submit further comments still open. The SEC will assess those comments and vote on a final rule. There is no date available for the voting.
For more information on this topic, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.