SEC Proposes Robust Cyber Incident Reporting for Public Companies
The Securities and Exchange Commission is busy. The new Chairman Gary Gensler hit the ground running and is pushing an active agenda of policy issues and enforcement. Along with this push, the SEC’s new enforcement director, Gurbir Grewal, is ramping up enforcement actions and priorities. Together, the SEC is poised to cause a big impact in policy and enforcement. As always, a limiting force will be resources, primarily personnel.
The SEC issued proposed climate change disclosure requirements. Before doing so, the SEC issued new and robust disclosure rules for cyber incidents. The SEC is filling in a long-time gap that Congress and prior administrations sought to address but usually failed under industry pressure and push back. In the public company sphere, however, the SEC is now moving forward.
The proposed rules impose some significant requirements. Public companies will face a new era of accountability on cyber risks. There has been a lack of consistency on how companies handle cyber incidents. The SEC is seeking to impose some basic requirements. Corporate boards, senior management and employees have to educated on these new requirements, and companies will have to build extensive internal controls surrounding disclosure obligations and management of cyber risks.
In releasing the proposed rules, Chairman Gensler described the SEC’s intent is to require disclosure of information in a “consistent, comparable and decision-useful manner.”
There is no question that cyber-risks continue to increase. No longer can companies rely on basic security practices and robust insurance policies to protect against significant financial and reputational outcomes. As a result, investors face significant exposure and the SEC is seeking to meet this gap with some basic requirements.
The SEC’s push on this issue will cause companies to review their cyber-security and governance practices with an eye towards improvement and meaningful disclosure controls. This is a welcome development – companies have often patched together a framework for managing these risks, and a more comprehensive strategy is needed.
The new rules broadly address current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risks; the board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any
Materiality and Reporting
The SEC is proposing to require companies to report cyber incidents by filing a Form 8-K within four days of the incident occurring. This is a significant burden and requirement. A material cybersecurity event has been added to the list of typical 8-K reportable events. The new rule also provides a comprehensive listing of what information should be included in the Form 8-K filing, including: (1) When the incident was discovered and whether it is ongoing; (2) a brief description of the nature and scope of the incident; (3) whether any data was stolen, altered, accessed or used for any other unauthorized purpose; (4) the effect of the incident on the company’s operations; and (5) whether the registrant had remediated the incident or is in the process of doing so.
The new rule replaces prior guidance that keyed disclosure requirements to the date the incident/breach was discovered. Under the new rule, the four-day reporting requirement begins from the date the incident occurred, a significant change requiring robust monitoring and tracking of a company’s cyber status.
The new rule raises difficult issues surrounding potential breaches surrounding ransomware attacks. At the same time, companies will have to establish a rapid but fulsome process for assessing materiality of a cyber incident. Cyber risks have a long list of potential consequences, including reputational damage, litigation costs, remediation and fines and penalties. In serious cases, the continued viability of the business may be threatened.
Even from a financial point of view, companies will have to assess the financial impact of cyber risk exposure. It is difficult to reach such determinations in the early stages of a cyber incident given the lack of accurate information as to the full potential scope of a cyber incident.
To date, most companies rely on insurance to protect the company from catastrophic results. Given the increasing impact of cyber incidents, insurance may not be sufficient to mitigate those risks. Corporate boards and senior management will have to develop a systematic and pre-defined process for assessing the impact of cyber incidents and build disclosure obligations around this analysis.
Companies may tilt the balance to non-disclosure based on a finding of immateriality but run the risk of future SEC enforcement, shareholder litigation and other civil investigations. In the face of significant impact, such a course would be risky and raise serious governance and compliance concerns.
Expanded Cyber Disclosures
The SEC’s new disclosure rules stretch beyond cyber incident reporting to include standardized disclosure of a company’s cybersecurity risk management, strategy, and governance. Specifically, the SEC is proposing to: (1) add Item 106 to Regulation S-K and Item 16J of Form 20-F to require a registrant to: (a) describe its policies and procedures for the identification and management of risks from cybersecurity threats, including whether the company considers cybersecurity as part of its business strategy, financial planning, and capital allocation; and (b) require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.
The SEC also proposed a new rule to target board member cyber expertise. Specifically, the SEC has proposed to amend Item 407 of Regulation S-K to require disclosure if any member of the corporate board has experience in handling cybersecurity issues or is an expert in the field. Such a requirement is analogous to disclosure of board members who possess financial expertise.
In reaching such a determination and disclosing a board member’s cyber expertise, the SEC outlined considerations and criteria to apply: (1) whether the director has prior work experience in cybersecurity; (2) whether the director has earned a certification or degree in cybersecurity; (3) whether the director has knowledge, skills or other background in cybersecurity.