The US Securities and Exchange Commission has proposed new rules and amendments to mandate disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting, including amendments to Form 8-K, Form 10-Q and Form 10-K. As proposed, these new rules and amendments require both current reporting and periodic reporting concerning cybersecurity matters.
On March 9, 2022, the Securities and Exchange Commission (SEC) proposed amendments (the Proposed Rule) to Regulation S-K, Regulation S-T and certain provisions of the Securities Act of 1933, as amended (Securities Act), and the Securities Exchange Act of 1934, as amended (Exchange Act), which seek to enhance and standardize companies’ disclosures concerning cybersecurity risk management, strategy, governance, and incident reporting. Following the promulgation of more informal guidance by the SEC on cybersecurity disclosures in recent years, the Proposed Rule would:
The information required to be disclosed pursuant to the Proposed Rule would also need to be reported using Inline eXtensible Business Reporting Language (Inline XBRL).
Comments on the Proposed Rule will be due on May 9, 2022, which is 60 days following publication of the proposing release on the SEC’s website, or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
Current Reporting of Cybersecurity Incidents on Form 8-K
Under the Proposed Rule, Form 8-K would be amended to add new Item 1.05. As proposed, Item 1.05 would require companies to disclose information about a material cybersecurity incident within four business days after a company determines that it has experienced such an incident. A requirement to report within four days is aggressive and could be challenging when compared to other reporting requirements in the United States, which typically range from 30 to 60 days. However, it is important to underscore that the triggering date is the date that the company makes the materiality determination, not the date that the event occurred or even the date the company became aware of it.
This approach recognizes the reality that following the occurrence of a cybersecurity incident, such as a breach of the company’s information system and infrastructure, it is often necessary for a company to expend significant time and effort to discover, review, analyze, and assess the impact. The release emphasized the SEC’s expectation that a public company will be deliberate and diligent in considering materiality and that such assessment will take into account both quantitative and qualitative factors while still ensuring timely disclosure under the form. While the release provided non-exhaustive examples of cybersecurity events that could be deemed material, a key implication of the proposal is that companies should have policies and procedures in place to not only manage the risk of cybersecurity events, but also to assess the materiality of such events upon occurrence.
New Item 1.05 of Form 8-K would require disclosure, upon determination of a material cybersecurity incident, of:
In addition, disclosure under Item 1.05 on Form 8-K will be deemed to be filed rather than furnished with the SEC, although the Proposed Rule includes an amendment to the Form S-3 “safe harbor” provision, to provide that a failure to file an Item 1.05 Form 8-K would not result in a loss of Form S-3 eligibility.
The Proposed Rule also includes a corresponding amendment to Form 6-K for Foreign Private Issuers (FPIs) to include material cybersecurity incidents as a reportable event under Form 6-K.
Periodic Reporting of Cybersecurity Matters
The Proposed Rule also would explicitly mandate cybersecurity-related disclosure that companies are required to provide in their periodic filings and/or proxy statements, as applicable. Through the creation of new Item 106 of Regulation S-K and Item 407(j) of Regulation S-K, the Proposed Rule would:
The Proposed Rule also includes corresponding amendments to Form 20-F and Form 6-K for FPIs to include similar periodic reporting disclosures.
Inline XBRL Requirements
As noted above, the Proposed Rule also includes the requirement for registrants to tag the information provided by the Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K in Inline XBRL, including the narrative disclosures in addition to quantitative information. The SEC noted that requiring the disclosure to be tagged in such a manner would allow the public and all interested parties to more easily extract and analyze information regarding cybersecurity events.
If adopted as proposed, the Proposed Rule would impose a variety of new and mandatory cybersecurity disclosure obligations for public companies. Although such disclosures are expected to become more standardized if the Proposed Rule is adopted, most companies will still need to assess how best to disclose their cybersecurity oversight and risk management policies in their periodic reports and/or proxy statements in light of the company’s particular business operations and industries.
Furthermore, the current reporting obligation that would be added to Form 8-K would create an additional disclosure requirement on a relatively short timeline should a company experience a material cybersecurity incident in the future. Companies will have to balance the need for fulsome disclosure under the Proposed Rule while also not disclosing information that might provide a roadmap or other insight to threat actors.
In light of the Proposed Rule and the increased focus on cybersecurity risk management in general by the SEC, it is important for companies to take proactive steps now to address cybersecurity issues in anticipation of potential new disclosure requirements. Specifically, public companies should consider the following:
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Boston
Bryan S. Keighery
Hong Kong
June Chan
Yile (Eli) Gao
William Ho
Louise Liu
Edwin Luk
Billy Wong
New York
Thomas P. Giblin, Jr.
Howard A. Kenny
Kimberly M. Reisler
Philadelphia
Justin W. Chairman
Ezra D. Church
James W. McKenzie, Jr.
Joanne R. Soslow
Pittsburgh
Celia A. Soehner
Princeton
David C. Schwartz
Shanghai
Matthew H. Lewis
Silicon Valley
Albert Lung
Singapore
Bernard Lui
Joo Khin Ng
Washington, DC
Leland S. Benton
Erin E. Martin