SEC Proposes Mandatory Cybersecurity Disclosures

The US Securities and Exchange Commission has proposed new rules and amendments to mandate disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting, including amendments to Form 8-K, Form 10-Q and Form 10-K. As proposed, these new rules and amendments require both current reporting and periodic reporting concerning cybersecurity matters.

On March 9, 2022, the Securities and Exchange Commission (SEC) proposed amendments (the Proposed Rule) to Regulation S-K, Regulation S-T and certain provisions of the Securities Act of 1933, as amended (Securities Act), and the Securities Exchange Act of 1934, as amended (Exchange Act), which seek to enhance and standardize companies’ disclosures concerning cybersecurity risk management, strategy, governance, and incident reporting. Following the promulgation of more informal guidance by the SEC on cybersecurity disclosures in recent years, the Proposed Rule would:

• add a new Item 1.05 to Form 8-K to require current reporting about material cybersecurity incidents; and
• through revisions to Form 10-Q and Form 10-K and the addition of new Regulation S-K Items 106 and 407(j), require periodic disclosures regarding cybersecurity matters, namely:
  • policies and procedures employed by companies to identify and manage cybersecurity risks;
  • management’s role in implementing cybersecurity policies and procedures;
  • Boards of directors’ cybersecurity expertise and oversight of cybersecurity risk; and
  • updates about previously reported material cybersecurity incidents.

The information required to be disclosed pursuant to the Proposed Rule would also need to be reported using Inline eXtensible Business Reporting Language (Inline XBRL).

Comments on the Proposed Rule will be due on May 9, 2022, which is 60 days following publication of the proposing release on the SEC’s website, or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

SUMMARY OF THE PROPOSED RULE’S KEY PROVISIONS

Current Reporting of Cybersecurity Incidents on Form 8-K

Under the Proposed Rule, Form 8-K would be amended to add new Item 1.05. As proposed, Item 1.05 would require companies to disclose information about a material cybersecurity incident within four business days after a company determines that it has experienced such an incident. A requirement to report within four days is aggressive and could be challenging when compared to other reporting requirements in the United States, which typically range from 30 to 60 days. However, it is important to underscore that the triggering date is the date that the company makes the materiality determination, not the date that the event occurred or even the date the company became aware of it.

This approach recognizes the reality that following the occurrence of a cybersecurity incident, such as a breach of the company’s information system and infrastructure, it is often necessary for a company to expend significant time and effort to discover, review, analyze, and assess the impact. The release emphasized the SEC’s expectation that a public company will be deliberate and diligent in considering materiality and that such assessment will take into account both quantitative and qualitative factors while still ensuring timely disclosure under the form. While the release provided non-exhaustive examples of cybersecurity events that could be deemed material, a key implication of the proposal is that companies should have policies and procedures in place to not only manage the risk of cybersecurity events, but also to assess the materiality of such events upon occurrence.

New Item 1.05 of Form 8-K would require disclosure, upon determination of a material cybersecurity incident, of:

• when the incident was discovered and whether it is ongoing;
• a brief description of the nature and scope of the incident;
• whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
• the effect of the incident on the registrant’s operations; and
• whether the registrant has remediated or is currently remediating the incident.

In addition, disclosure under Item 1.05 on Form 8-K will be deemed to be filed rather than furnished with the SEC, although the Proposed Rule includes an amendment to the Form S-3 “safe harbor” provision, to provide that a failure to file an Item 1.05 Form 8-K would not result in a loss of Form S-3 eligibility.

The Proposed Rule also includes a corresponding amendment to Form 6-K for Foreign Private Issuers (FPIs) to include material cybersecurity incidents as a reportable event under Form 6-K.

Periodic Reporting of Cybersecurity Matters

The Proposed Rule also would explicitly mandate cybersecurity-related disclosure that companies are required to provide in their periodic filings and/or proxy statements, as applicable. Through the creation of new Item 106 of Regulation S-K and Item 407(j) of Regulation S-K, the Proposed Rule would:

• require companies to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate, in their Forms 10-Q (or, for the fourth quarter, in Form 10-K).
• add disclosure under new Item 106 of Regulation S-K in Forms 10-K requiring companies to:
  • describe their policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the company considers cybersecurity risks as part of its business strategy, financial planning, and capital allocation; and
  • provide disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the company’s cybersecurity policies, procedures, and strategies.
• Amend Item 407 of Regulation S-K to add new Item 407(j), which requires disclosure in Forms 10-K and proxy statements, as applicable, if any member of the company’s Board has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise. The Proposed Rule would clarify that such individual is not deemed an “expert” for purposes of Section 11 liability and that the inclusion of a cybersecurity expert on the board will not alleviate or reduce the duties and obligations of other board members in their capacities as directors of a public company. The Proposed Rule would require this disclosure in Part III, Item 10 of Form 10-K; therefore, the company may elect to incorporate such disclosures in the proxy statement to be filed in connection with an election of directors at the annual meeting.

The Proposed Rule also includes corresponding amendments to Form 20-F and Form 6-K for FPIs to include similar periodic reporting disclosures.

Inline XBRL Requirements

As noted above, the Proposed Rule also includes the requirement for registrants to tag the information provided by the Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K in Inline XBRL, including the narrative disclosures in addition to quantitative information. The SEC noted that requiring the disclosure to be tagged in such a manner would allow the public and all interested parties to more easily extract and analyze information regarding cybersecurity events.

KEY CONSIDERATIONS

If adopted as proposed, the Proposed Rule would impose a variety of new and mandatory cybersecurity disclosure obligations for public companies. Although such disclosures are expected to become more standardized if the Proposed Rule is adopted, most companies will still need to assess how best to disclose their cybersecurity oversight and risk management policies in their periodic reports and/or proxy statements in light of the company’s particular business operations and industries.

Furthermore, the current reporting obligation that would be added to Form 8-K would create an additional disclosure requirement on a relatively short timeline should a company experience a material cybersecurity incident in the future. Companies will have to balance the need for fulsome disclosure under the Proposed Rule while also not disclosing information that might provide a roadmap or other insight to threat actors.

In light of the Proposed Rule and the increased focus on cybersecurity risk management in general by the SEC, it is important for companies to take proactive steps now to address cybersecurity issues in anticipation of potential new disclosure requirements. Specifically, public companies should consider the following:

• Review, assess, and update existing cybersecurity related policies and procedures. It is critical for management to assess and analyze existing policies, procedures and control processes to ensure that they provide effective protection against cybersecurity breaches and identify gaps that should be remediated. Management may want to consider additional measures and actions to enhance its cybersecurity infrastructure, including expanding the information technology team with the relevant expertise and qualifications in cybersecurity management, and providing relevant training and support to personnel who are responsible for cybersecurity matters. For those companies that have not adopted formal policies and procedures, management should consult with internal and external personnel and experts to design and implement an optimal cybersecurity policy and procedure.
• Review and assess corporate governance structure. The board of directors, with the assistance of management, should review and assess current governance structure and risk management framework to identify areas of focus and improvement. For example, the board may consider establishing a dedicated committee to oversee and manage cybersecurity risks, with the authority to require regular reports and analysis on cybersecurity issues from management. The governance structure should permit open and timely communications to board members so that critical decisions can be made at the highest level of the company concerning cybersecurity issues. Given the SEC’s focus on a “cybersecurity expert” on the board, it may be important for boards and nominating committees to emphasize such qualifications and experiences in the nomination process. Companies may also want to revise director and officer questionnaires to include additional questions to solicit information from directors on relevant cybersecurity experiences.
• Review and implement disclosure control procedures. Companies should review existing disclosure control procedures and consider implementing additional processes to ensure that cybersecurity incidents can be identified and communicated quickly to appropriate personnel who can make disclosure decisions. This may involve building a new or more effective communications channel between the company’s information technology department and the financial reporting team or disclosure committee. This is particularly important if the Proposed Rule is adopted and mandates current disclosures under Form 8-K, which would require companies to establish a process by which materiality analysis can be performed timely and, if needed, accurate disclosures regarding the material cybersecurity incidents can be prepared and filed with the SEC.

CONTACTS

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Boston
Bryan S. Keighery

Hong Kong
June Chan
Yile (Eli) Gao
William Ho
Louise Liu
Edwin Luk
Billy Wong

New York
Thomas P. Giblin, Jr.
Howard A. Kenny
Kimberly M. Reisler

Philadelphia
Justin W. Chairman
Ezra D. Church
James W. McKenzie, Jr.
Joanne R. Soslow

Pittsburgh
Celia A. Soehner

Princeton
David C. Schwartz

Shanghai
Matthew H. Lewis

Silicon Valley
Albert Lung

Singapore
Bernard Lui
Joo Khin Ng

Washington, DC
Leland S. Benton
Erin E. Martin