The SEC has proposed rules (Release No. 33-11038) that would require new cybersecurity disclosures. If adopted the rules would codify and build upon the Commission guidance on cybersecurity risks and incidents.
The proposed amendments include:
- Form 8-K filing regarding material cybersecurity incidents within 4 business days
- Forms 10-K and 10-Q disclosures of cybersecurity policies and procedures and updates of prior Form 8-K incident disclosures
- Inline XBRL reporting
Key Proposed Amendments
- Form 8-K: Proposed new Item 1.05 of Form 8-K would require companies to disclose material cybersecurity incidents within 4 business days. The disclosure would be triggered by a company’s determination that the incident is material to investors. Companies would be required to make that determination as soon as reasonably practicable after the incident.
In this disclosure, companies would provide:
- When the incident was discovered and if it is still ongoing
- A brief description of the nature and scope of the incident
- Whether the data was stolen, altered, accessed, or used for an unauthorized purpose
- The effect on the company’s operations
- Whether the incident has been remediated or is in the process of being remediated
Companies may omit information not known at the time of filing and may omit information of a technical nature that could impede the company’s response or remediation. Companies may not, however, delay disclosure to mitigate harm to internal investigations or to facilitate external cooperation with law enforcement.
- Forms 10-K and 10-Q: Proposed Item 106(d) of Regulation S-K would require companies to provide updates regarding previously disclosed cybersecurity incidents. Also, this proposal would require disclosure if a series of immaterial cybersecurity incidents has become material in the aggregate.
- Form 10-K: Proposed Item 106 of Regulation S-K would require the following disclosures:
- Policies and procedures for identifying and managing cybersecurity risks
- Cybersecurity governance and board of directors’ oversight role, including the frequency of board consideration and expert discussions
- Management’s role and relevant expertise in assessing cybersecurity risks, and implementing related policies, procedures, and strategies
- Whether a chief information security officer has been appointed and his or her relevant expertise
New Item 407(j) of Regulation S-K would require disclosure of board members’ cybersecurity expertise.
- Forms 20-F and 6-K: The SEC also proposed conforming changes to foreign private issuers.
Changes to SEC’s 2018 Guidance
The proposed rules codify much of the previous 2018 guidance. Many public companies are already following the 2018 guidance. For example, the guidance encouraged companies to develop cybersecurity risk management policies and procedures to enable disclosures and to disclose board cybersecurity risk oversight. The proposed rules take these encouraged guidelines and strengthen them into required disclosures.
The proposed rules increase the burden of cybersecurity incident disclosures. In the 2018 guidance, the SEC expected companies to discuss cybersecurity incidents or risks if it would materially affect the company. The proposed amendment to Form 8-K, while maintaining the materiality standard, creates a fixed 4 business day deadline and lists a substantial amount of information that is expected to be included in a disclosure of a material incident.
In anticipation of these new rules being adopted, companies should be prepared to address the following:
- Controls and procedures for reporting cybersecurity incidents, including a process for making a materiality determination as soon as reasonably practicable after a cybersecurity incident.
- Controls and procedures for producing updates on previously reported cybersecurity incidents.
- Identifying a chief information security officer and determining how they will fit into the company’s organizational chart.
- Updating annual and quarterly report checklists to include new Form 10-K and Form 10-Q disclosure requirements.
- Involvement of the board and disclosure committees in evaluating cybersecurity disclosures.
- Cybersecurity vendors’ current practices and their alignment with new disclosure requirements and timelines.
The SEC has been tightening comment periods, so comments on the proposed rules are due on the later of May 9, 2022 or 30 days after their publication in the Federal Register.
If you have any questions about these or related topics, your regular Locke Lord contact or any of the authors can discuss these matters with you.