United States SEC proposes new cybersecurity rules for public companies
If adopted, for the first time, these would mandate current and periodic reporting of material cybersecurity incidents
The United States Securities and Exchange Commission (SEC) recently proposed rules that would create a new cybersecurity disclosure regime applicable to public companies.
The rules would require periodic disclosure of a company's policies and procedures to identify and manage cybersecurity risks, management's role and expertise in implementing cybersecurity policies, procedures, and strategies, and the board's oversight role and cybersecurity expertise.
While the rules are not yet effective and a comment period is open, given the heightened policy and investor interest in cybersecurity-related matters in recent years, the requirements are likely to be adopted in a form that is generally consistent with the proposal.
A brief overview of the proposed rules and key takeaways for public companies to consider in anticipation of the final rules being implemented –
1. The proposed rules would require a company to file a Form 8-K within four business days of a determination that a cybersecurity incident it has experienced, is material. The Form 8-K line item would require disclosure of (a) when the incident was discovered and whether it is ongoing; (b) the nature and scope of the incident; (c) whether any data was stolen, altered, accessed, or used for any other unauthorized purpose; (d) the effect of the incident on the company's operations; and (e) whether the company has remediated or is currently remediating the incident.
2. The proposed rules do not specify how to determine the materiality of a cybersecurity incident. Instead, materiality is to be evaluated based on the total mix of information, as is the case with other materiality determinations under the federal securities laws. The proposed rules, however, provide examples of incidents that could be material, such as accidental exposure or theft of sensitive business information, intellectual property or personally identifiable information, threats to sell or publicly disclose sensitive data, and ransomware demands.
3. Under the proposed rules, any material changes or updates to the cybersecurity incidents that were previously disclosed must be disclosed in subsequent Form 10-Q and Form 10-K reports. In addition, a series of individually immaterial cybersecurity incidents that later become material in the aggregate would need to be disclosed in subsequent Form 10-Q and Form 10-K reports.
Cyber security risk management and strategy:
1. The proposed rules would also require companies to disclose more information regarding their cybersecurity risk management strategies. The rules would amend Regulation S-K to require a description of a company's policies and procedures, for identifying and managing risks from cybersecurity threats, including (a) operational risk; (b) intellectual property theft; (c) fraud; (d) extortion; (e) harm to employees or customers; (f) violation of privacy laws and other litigation and legal risk; and (g) reputational risk.
2. The rules specify a series of items that must be disclosed, including a description of the company's cybersecurity risk assessment program, whether the company engages third parties to assess its cybersecurity program, and whether the company's financial condition is reasonably likely to be affected by cybersecurity risks and incidents.
Cyber security governance:
1. Additionally, the proposed rules would require disclosure regarding a company's cybersecurity governance at both the board and management levels. With respect to board oversight, the proposed rules would require disclosure of (1) whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks; (2) the processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and (3) whether and how the board or a board committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight.
2. As regards the management's role, the proposed rules would require specific disclosures, such as (a) specifying management roles responsible for cybersecurity, including whether the company has a chief information security officer or similar role; (b) processes by which responsible persons are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents; and (c) whether and how frequently such persons report to the board or applicable board committee on cybersecurity risk.
Disclosures regarding the Board's expertise:
1. The proposed rules would require disclosure about the cybersecurity expertise of members of the Board, if any. The proposed rules do not define 'cybersecurity expertise' but provide several factors to consider, such as prior work experience or certifications in cybersecurity. Such disclosures would be required in both the company's proxy statement and Form 10-K.
2. The rules include three provisions that potentially mitigate liability concerns associated with the new requirements. One, untimely disclosure of material cybersecurity incidents on Form 8-K would not result in a loss of Form S-3 eligibility. Two, untimely disclosures of material cybersecurity incidents are eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5. Three, directors who are disclosed as having cybersecurity expertise would not qualify as experts under the federal securities laws in the proposing release. SEC indicates that the purpose of the safe harbor is to clarify that the proposed rules would not impose any greater liability or obligations on directors carrying the cybersecurity expertise label (and conversely, that a Board's identification of a cybersecurity expert does not reduce the obligations or liabilities of any other director).
3. Under the proposed rules, the foregoing requirements would also generally apply to foreign private issuers (FPIs).
Ways to navigate effective cybersecurity incident response:
1. The proposed requirement to disclose the existence and key details surrounding a material cybersecurity incident within four business days of determining that an incident is material underscores the importance of (a) implementing a tailored incident response plan in advance of an incident and (b) engaging with counsel immediately after an incident is discovered. In particular, companies should work with the counsel to determine whether an incident is material such that a Form 8-K is required.
2. If disclosure is required, how to ensure that it meets SEC requirements while not compromising the effectiveness of its response or remediation plans. Helpfully, the SEC proposing release specifically indicates that companies would not be expected to disclose specific, technical information about their incident response or their cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede their response or remediation efforts.
3. In addition, close coordination with the counsel will be critical as ongoing internal or external investigations, such as investigations by the law enforcement agencies, would not, under the proposed rules, excuse a delay in disclosure (unlike state data breach notification laws).
4. At the same time, the proposal solicits comments on whether public disclosure could be delayed if requested by the Attorney General due to national security concerns.
Is there a need for the companies to hire cybersecurity consultants:
1. The proposed rules do not identify cybersecurity best practices for public companies, nor do they prescribe cybersecurity practices that companies must follow. However, the proposal identifies a series of items that must be disclosed about companies' cybersecurity risk management strategies (if applicable) and these items could signal the SEC's expectations regarding cybersecurity programs, while compulsory disclosure could impact market practice and investor expectations.
2. For example, the SEC's proposal requires companies to describe whether they use third parties in connection with their cybersecurity risk assessment programs. If the rules are adopted as proposed, the companies do not require the retention of cybersecurity consultants. Instead, the companies could consult with a counsel and members of their technical teams about the appropriateness of their cybersecurity programs. They should allow the resulting disclosure to reflect the board and management's thoughtful and company-specific approach to cybersecurity risk management.
Whether the Board requires a cyber committee and members with cyber expertise:
1. While the proposed rules require disclosure if any Board member has cybersecurity expertise and whether cybersecurity risk oversight is overseen by the full Board, a Board committee or specific members, they should not be read as a pronouncement that all companies must recruit cybersecurity experts or establish cybersecurity committees.
2. As with other areas of risk management, the Boards should take a thoughtful and company-specific approach in determining an effective and appropriate structure for its oversight of cybersecurity risk.