On March 9, 2022, the Securities and Exchange Commission (“SEC”) issued proposed amendments to its rules aimed at enhancing and standardizing public company disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting (the “Proposed Rules”). The full text of the Proposed Rules can be viewed here.

Overview

In today’s digitally connected world, where an ever-increasing amount of global economic activity occurs through digital technology and electronic communications, the threat of cybersecurity incidents is significant. Potential costs and damages that can stem from a material cybersecurity incident are extensive. In light of the current digital landscape, the Proposed Rules are intended to better inform investors about a company’s cybersecurity risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.

In general, the Proposed Rules would require current reporting about material cybersecurity incidents as well as periodic reporting to provide updates about any such incidents previously reported. The Proposed Rules would also require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. Additionally, the Proposed Rules would require annual reporting about the board of directors’ cybersecurity expertise, if any.

Key Definitions

For the purposes of the Proposed Rules, the following key definitions apply:

• “Cybersecurity incident” is defined as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
• “Cybersecurity threat” is defined as “any potential occurrence that may result in, an unauthorized effort to adversely affect the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.”
• “Information systems” is defined as “information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.”

Amendments to Form 8-K                                       

The Proposed Rules would add a new Item 1.05 to Form 8-K, which would require a company to provide the following information about a material cybersecurity incident within four business days of the company’s determination that such an incident had occurred:

• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the company’s operations; and
• Whether the company has remediated or is currently remediating the incident.

The Proposed Rules provide the following non-exclusive list of cybersecurity incident examples:

• An unauthorized incident that has compromised the confidentiality, integrity or availability of an information asset (data, system or network), or violated a company’s security policies or procedures;
• An unauthorized incident that caused degradation, interruption, loss of control, damage to or loss of operational technology systems;
• An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or stole sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the company;
• An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
• An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

Whether a cybersecurity incident is material may not be immediately apparent upon discovery; the triggering date under the Proposed Rules is the date that the materiality determination is made by the company. The company would be required to make such a determination “as soon as reasonably practicable after discovery of the incident.” Once a materiality determination has been made, an ongoing internal or external investigation related to the cybersecurity incident would not be grounds for a delay in reporting.

The Proposed Rules would also amend the General Instruction B of Form 6-K to reference material cybersecurity incidents among the items that may trigger a current report on that Form.

Lastly, under the Proposed Rules a failure to timely file a Form 8-K for Item 1.05 would not result in loss of Form S-3 or Form SF-3 eligibility. Similarly, Item 1.05 would be added to the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Securities Exchange Act of 1934.

Amendments to Forms 10-Q/10-K

Proposed Item 106(d)(1) of Regulation S-K would require registrants to disclose in their Forms 10-Q (and Form 10-K, for the fourth quarter) any material changes, additions or updates to cybersecurity incidents previously reported on Form 8-K, that occur during the covered period.

The Proposed Rules provide the following non-exclusive list of possible disclosures:

• Material impacts of the cybersecurity incident on the company’s operations and financial condition;
• Potential material future impacts on the company’s operations and financial condition;
• Remediation efforts; and
• Changes to the company’s policies and procedures resulting from the incident and how the incident may have informed such changes.

In addition, proposed Item 106(d)(2) would require companies to disclose previously undisclosed and immaterial cybersecurity incidents in the event that they become material in the aggregate. Under those circumstances, companies would be required to provide the following information in the Form 10-Q (or 10-K) for the quarter in which the company makes the determination the incidents are material in the aggregate:

• When the incidents were discovered and whether they are ongoing;
• A brief description of the nature and scope of such incidents;
• Whether any data was stolen or altered;
• The impact of such incidents on the company’s operations and actions; and
• Whether the company has already remediated or is currently remediating the incidents.

Disclosure of Cybersecurity Policies and Procedures – Item 106(b)

Proposed Item 106(b) of Regulation S-K would require a registrant to periodically disclose its policies and procedures, if any, for identifying and managing cybersecurity risks and threats, including operational risk, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and reputational risk.

As proposed, Item 106(b) would require disclosure of the following:

• Whether the company has a cybersecurity risk assessment program and, if so, a description of such program;
• Whether the company engages assessors, consultants, auditors or other third parties in connection with any cybersecurity risk assessment program;
• Whether the company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider;
• Any activities undertaken to prevent, detect and minimize effects of cybersecurity incidents;
• Whether the company has business continuity, contingency and recovery plans in the event of a cybersecurity incident;
• Whether previous cybersecurity incidents have informed changes in the company’s governance, policies and procedures or technologies;
• Whether cybersecurity-related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition and, if so, how; and
• Whether cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation and, if so, how.

Disclosure of Cybersecurity Governance and Oversight – Item 106(c)

Proposed Item 106(c) of Regulation S-K would require additional periodic disclosures related to board oversight of cybersecurity risks, as well as a description of management’s role in assessing and managing such risks.

Proposed disclosures regarding board oversight include:

• Whether the entire board, specific board members or a board committee is responsible for the oversight;
• The board’s processes for being informed about cybersecurity risks and the frequency of its discussions on this topic; and
• Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight.

Proposed disclosures relating to management’s role include:

• Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection and remediation of cybersecurity incidents, as well as the relevant expertise of such persons or members;
• Whether the company has a designated a chief information security officer, or someone in a comparable position, and, if so, to whom that individual reports within the company’s organizational chart, as well as the relevant expertise of any such persons;
• The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents; and
• Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.

The new disclosures under proposed Item 106(b) and (c) would be provided in a new Part I, Item 1.C of Form 10-K.

Board of Directors’ Cybersecurity Expertise – Item 407(j)

The Proposed Rules would add a new section (j) under Item 407 of Regulation S-K that would require companies to disclose the names of any directors with cybersecurity expertise and descriptions of the nature of such expertise in their proxy statements or information statements in connection the election of directors, and in their Form 10-Ks.

Cybersecurity expertise is not defined, although the SEC offers the following list of non-exhaustive examples:

• Prior work experience in cybersecurity including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
• A certification or degree in cybersecurity; and/or
• Any knowledge, skills or other background in cybersecurity including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.

A director who is identified as having cybersecurity expertise would not be deemed to be an expert for any purposes, including for the purposes of Section 11 of the Securities Act of 1933, and any such designation would not increase a director’s responsibilities, obligations or liabilities in his or her capacity as a board member.

Foreign Private Issuers

Lastly, the Proposed Rules would amend Form 20-F to add Item 16J, which would make certain changes similar to those summarized above applicable to foreign private issuers. As proposed, foreign private issuers would be required to provide disclosures related to new material cybersecurity incidents or updates on previously reported cybersecurity incidents on From 20-F.

Comments on the Proposed Rules are due 30 days after publication in the Federal Register or May 9, 2022, whichever is later.   

For additional information related to Proposed Rules, please contact one of the authors listed, or any member of our Securities Law Practice Group.