SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

March 2022

In an effort to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting, the SEC proposed enhanced and new cybersecurity disclosure requirements. Most significantly, the proposed rules would require: current reporting about material cybersecurity incidents on Form 8-K; periodic disclosures regarding a registrant’s policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, and updates about previously reported material cybersecurity threats; and Inline XBRL tagging of the required disclosures. Comments on the proposal are due on May 9, 2022.
 

Background

In response to the increasing significance of cybersecurity incidents, the SEC issued an interpretive release in 2018 that outlined the Commission’s views with respect to cybersecurity disclosure requirements under the existing federal securities laws. The release reinforced and expanded the guidance on reporting and disclosing cybersecurity risks and incidents that the Division of Corporation Finance issued in 2011. In addition, the release addressed the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context. As the SEC has observed inconsistent disclosure practices, the proposed rules are intended to provide more consistency and comparability of cybersecurity disclosures by public companies across industries.
 

Summary

Incident Disclosures in Form 8-K

Form 8-K would be amended to require disclosure of information about a material cybersecurity incident within four business days after it is determined that a cybersecurity incident is material. A cybersecurity incident would be defined as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” In some cases, the date of the materiality determination may coincide with the date of discovery. However, in other cases, the date of materiality determination may come after the discovery date. In the event of the latter, registrants are expected to be diligent in making a materiality determination as promptly as feasible. To the extent the information is known at the time of filing, Form 8-K would include the following disclosures:
  • When the incident was discovered and whether it is ongoing;
  • A brief description of the nature and scope of the incident;
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • The effect of the incident on the registrant’s operations; and
  • Whether the registrant has remediated or is currently remediating the incident.
 

Updates to Previously Filed Form 8-K Disclosure in Periodic Reports

Forms 10-Q and 10-K would be amended to require registrants to provide updated disclosures related to previously disclosed cybersecurity incidents as additional information may become available after the initial Form 8-K is filed. If the disclosures made in the initial Form 8-K become inaccurate or materially misleading as a result of subsequent developments, an amended Form 8-K may be required. Forms 10-Q and 10-K would also be amended to require disclosure of circumstances when a series of previously undisclosed individually immaterial cybersecurity incidents have become material in the aggregate (when known).
 

Risk Management and Strategy Disclosure

Regulation S-K would be amended to require disclosure of a registrant’s policies and procedures for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation. Disclosures would include, among others, whether the registrant has a cybersecurity risk assessment program (including a description, if applicable) and policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service providers.
 

Governance Disclosures

Regulation S-K would also be amended to disclose the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies. To the extent applicable, the disclosures would include the following:
  • Board of Directors’ Role in Overseeing Cybersecurity Risks
    • Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
    • The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
    • Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.
  • Management’s Role in Assessing and Managing Cybersecurity-Related Risks
    • Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
    • Whether the registrant has designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons;
    • The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
    • Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.
 

Cybersecurity Expertise Disclosure

Item 407 of Regulation S-K and Form 20-F would be amended to require disclosure regarding board member cybersecurity expertise. Under the proposal, registrants must disclose in annual reports and certain proxy filings whether any member of the registrant’s board of directors has expertise in cybersecurity and, if so, the names of any such directors and any detail necessary to fully describe the nature of the expertise.