On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would require public companies to report detailed information about material cybersecurity incidents affecting their business and their cybersecurity risk management and governance. The new requirements are intended to expand cybersecurity incident reporting and promote increased cybersecurity risk management and governance among publicly traded companies in the United States.
The SEC proposes to require publicly traded companies to report, via Form 8-K, material cybersecurity incidents within four business days after a determination that an incident has occurred. The disclosure timeline starts, not at the point of the initial discovery of the incident, but when a determination of materiality is made. Therefore, companies will not be penalized for late reporting if an incident initially appeared minor but was later determined to be significant enough to trigger the reporting requirement. The initial SEC proposal does not allow companies to delay reporting if law enforcement is investigating and requests a delay in public disclosure of the incident. The standard proposed by the SEC for determining materiality is consistent with the standard articulated by the Supreme Court: an incident is material if “there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision.”
The proposed rule includes a non-exhaustive list of examples of cybersecurity incidents that might trigger the reporting requirement:
Additionally, the SEC would require material updates to previously reported cybersecurity incidents. Updates would be included in the company’s Form 10-Q or Form 10-K for the period in which the update occurred. Non-exhaustive examples of updates include any material impact or potential material impact of the incident on the company’s operations or financial condition, whether the company has remediated the incident, and any changes in the company’s policies and procedures resulting from the cybersecurity incident and how the incident may have informed such changes.
The SEC also proposes to require disclosure in Form 10-Q or Form 10-K when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. For example, if one malicious actor engages in a number of smaller but continuous cyber-attacks related in time and methods against a company and, collectively, they are either quantitatively or qualitatively material.
If incidents become material in the aggregate, companies would need to disclose:
The SEC proposes to amend Form 10-K further to require disclosures about a company’s cybersecurity risk management systems, including its policies and procedures for identifying, assessing, and managing the risks. The SEC would require the disclosure, as applicable, of whether:
The proposed rule requires a description in a company’s Form 10-K of the board’s oversight of cybersecurity risk, management’s role in assessing and managing cybersecurity risks, the relevant expertise of management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies. Examples of disclosures about the board’s or management’s respective roles include:
Finally, the SEC proposes to require a description of the cybersecurity expertise of the company’s board. Examples include:
The proposed rules now enter a public comment period that will remain open until May 8, 2022 (60 days following publication of the proposing release on the SEC’s website), or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.